20117 policies in database
Link to program      
2021-09-03
VRT logo
Thank
Gift
HOF
Reward

Reward

VRT

Flemish Radio and Television Broadcasting Organization bugbounty programThe VRT (Flemish Radio and Television Broadcasting Organization) considers it important that its information and systems are secure. If you have found a vulnerability in one of the items in scope, please let us know so that we can take measures as quickly as possible. We would like to work with you to protect our audience and our systems in a better way.

The use of your intigriti.me email address is required for testing things that require login.

We also have a Responsible Disclosure Program, that applies to all VRT systems and domains. In case of doubt on the scope, please contact us to clarify matters.

Don't use the following methods as these are our production environments

Bruteforce username/password logins
Directory / file enumeration: Rate limit used in automation 1 request per second

For "Ketnet" we are specifically looking for:

Ways to impersonate another user
Ways to list registered users or obtain their data
Ways to alter the content visible on the site

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.

Exceptional

  • RCE (Remote Code Execution)

Critical

  • Access to all customer personal data
  • SQL injection

High

  • Stored XSS without user interaction
  • Privilege escalation
  • Authentication bypass on critical infrastructure
  • Causing enduser impact on livestreams or VOD items with malicious requests (not through volumertric DOS!)

Medium

  • XSS
  • CSRF with a significant impact
  • Unauthorized access to protected content like VOD items

Low

  • XSS that requires lots of user interaction ( > 3 steps)
  • CSRF with a very limited impact
  • Google Maps Api Key misconfiguration
  • Open redirect

Our promise to you

  • We will respond to report as soon as possible!
  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below

Your promise to us

  • Provide detailed but to-the point reproduction steps* Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)
  • Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)

In Scope

Scope Type Scope Name
undefined

1001982587

web_application

4ever.ketnet.be

web_application

be.vrt.ketnet.ketnetjr

web_application

bff.ketnet.be

web_application

data.ketnet.be

web_application

dedokterbeashow.ketnet.be

web_application

juniormusical.ketnet.be

web_application

kaatje.ketnet.be

web_application

magazine.ketnet.be

web_application

privacy.ketnet.be

web_application

senior-bff.ketnet.be

web_application

www.ketnet.be

web_application

content.ketnet.be

web_application

vrtnws-api.vrt.be

web_application

api.sporza.be

web_application

api.vrt.radio

web_application

cds.vrt.radio

web_application

live-cf-vrt.akamaized.net

web_application

live-cf.lwc.vrtcdn.be

web_application

login.vrt.be

web_application

media-services-public.vrt.be

web_application

ondemand-cf.lwc.vrtcdn.be

web_application

ondemand-vrt.akamaized.net

web_application

player.vrt.be

web_application

profiel.vrt.be

web_application

remix-cf-vrt.akamaized.net

web_application

remix-cf.lwc.vrtcdn.be

web_application

sport-components.sporza.be

web_application

sporza.be

web_application

stubru.be/luister/select

web_application

vrt.be/vrtnu

web_application

vrt.be/vrtnws


This program crawled on the 2021-09-03 is sorted as bounty.

FireBounty © 2015-2021

Legal notices