FireBounty
52235 policies in database
Link to program      
2021-04-12
Swiss Post logo
Thank
Gift
HOF
Reward

Reward

Swiss Post

ABOUT THE PROGRAM

Swiss Post - the world’s best postal service - stands for secure and trustworthy conveyance of information.

In order to meet the highest quality standards, we are constantly mitigating security issues on multiple levels.

We are open to your vulnerability reports, and we will pay out a fair reward for confirmed and in-scope vulnerabilities.

Our aim is to continuously include more scopes of Swiss Post into this program. But we also reserve the right to terminate this program at any time.

PROGRAM RULES

Participants are permitted to perform any tests and investigations on the systems, as long as they act in good faith and respect the scope and rules described below.

GENERAL RULES

Please read the following rules carefully, especially the information regarding the scopes of this program and the corresponding reporting requirements.

Please do not interfere with other hunters’ work when searching for vulnerabilities.

If the definition of the scope prevents you from exploiting other server-side vulnerabilities, this will be taken into consideration when calculating the compensation (e.g. you successfully pwn a server and are ready for lateral movement, but you do not exploit surrounding systems because they are out of scope).

ELIGIBILITY AND RESPONSIBLE DISCLOSURE

We would like to thank everyone who submits valid reports that help us improve the security of Swiss Post’s IT system. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com.
  • You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code where necessary (see the reporting requirements for the corresponding scope).
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit your requests per second). If you over do it, your IP address might be throttled or even (temporarily) blocked to protect our infrastructure.

Reports on vulnerabilities are examined by our security analysts - our analysis is always based on worst case exploitation & the business criticality of the vulnerability, as is the reward we pay.

LEGAL SAFE HARBOR - CONSEQUENCES OF COMPLYING WITH THESE PROGRAM RULES

  • The Swiss Criminal Code classifies any type of hacking as a crime. This section ensures that, security researchers are safe from any prosecution when they act in good faith.
  • Swiss Post will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good faith violations of the program rules.
  • Swiss Post interprets activities by participants that comply with the program rules as authorized access under the Swiss Criminal Code. This includes Swiss Criminal Code Articles 143, 143bis and 144bis.
  • Swiss Post will not file a complaint against participants of this program for trying to circumvent the security measures deployed in order to protect the services in scope as outlined below.
  • If legal action is initiated by a third party against a participant, and the participant has complied with the program rules as outlined in this document, YesWeHack and Swiss Post will take the necessary measures to inform the authorities that such participant’s actions have been conducted in compliance with this policy.
  • Any non-compliance with the program rules may result in exclusion from the bug bounty program.
  • For minor breaches, a warning may be issued. For severe breaches, Swiss Post reserves the right to file criminal charges.

SCOPE

The scope of this bug bounty program includes the following apps, web apps and URIs, as well as all the Swiss Post resources directly sourced from these web apps.

Login & Registration

Here you can create your account for the "Swiss Post Customer Login" and login to the digital world of Swiss Post. Please note that the alternative login with SwissID (https://login.swissid.ch) is out of scope.

Postshop

This is the official online shop of Swiss Post.

My Consignments

Here you can manage your shipments and organize your preferred delivery options.

Address maintenance

This online service provides all Swiss Post services for your addresses on a single platform – from verifying to updating and address management.

Recipient Services

This service gives you access to different recipient services of Swiss Post.

PostApp

The Post-App offers useful support and practical information on Swiss Post services

Billing Online

Billing Online is our payment service that is used within many of our online services.
Two additional use cases that you can acces through your wallet (https://account.post.ch/selfadmin/payment/) are loading your wallet and changing your credit card details.

There are no test credit cards for our productive environments. We suggest using your own credit cards.

For more information, please have a look at the integration guidelines.

Please note that some of the applications may contain links or redirect you out of the URIs described here. This means you are leaving the scope if you follow these links / redirects.

Dangling DNS

At the very core of any organization's web infrastructure lays DNS.
A dangling DNS entry is considered to be a DNS record pointing to a different domain/IP which is currently free/unregistered and can be brought in possession of an adversary.
Although this program’s scope is limited, we are appreciative of any help provided on this specific topic.

For the *.post.ch domain we are accepting :

  • Reports of Dangling DNS record with no further evidence of subdomain takeover (Reward = 300 euros)
  • Reports of Dangling DNS record with a PoC and demonstrated subdomain takeover (Reward = 1000 euros)

Reports of leaks and exposed credentials

In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

To summarize our policy, you may refer to this table :

Type of leak Source of leak is in-scope Source of leak belongs to Swiss Post but is out-of-scope Source of leak does not belong to Swiss Post and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not eligible Not eligible

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials that are not applicable on the program’s scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
  • Exposed PII on an out-of-scope asset

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describing and listing what is exposed.

Peculiarities

  • We reserve the right to use a "OneFixOneReward" rule, i.e., if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the ensuing flaws, only one report will be considered as eligible for a reward and other reports will be closed as informative. However, all reports will be reviewed edge by edge.

GL;HF

Happy Hunting!

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US
ios_application

https://apps.apple.com/ch/app/die-post/id378676700
web_application

https://account.post.ch
web_application

https://shop.post.ch/shop
web_application

https://service.post.ch/ekp-web/
web_application

https://service.post.ch/zopa/app/
web_application

https://service.post.ch/ele-klp/ele/
web_application

https://billingonline.post.ch/OnlinePayment/Web/v1/BOI

Out of Scope

Scope Type Scope Name
undefined

Anything that has not been described as in scope in the previous section is automatically out of scope.
undefined

Attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes DNS, NTP, routers, systems of the ISP, etc.).
undefined

The alternative login (https://login.swissid.ch) is out of scope. It also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope.
undefined

Please note that some of the applications may contain links or redirect you away from the URIs described in the scope section. This means you are leaving the scope if you follow these links / redirects.

Firebounty have crawled on 2021-04-12 the program Swiss Post on the platform Yeswehack.

FireBounty © 2015-2024

Legal notices | Privacy policy