PROGRAM UPDATES

Version 10

• Modification of 1 scope
  • serveur10.notebleue.com to serveur12.notebleue.com
• Addition of rules for reporting leaks and exposed credentials

Version 9

• Modifications of 2 scopes
  • odoo13.notebleue.pro to odoo14.notebleue.pro

Version 8

• Increase all the reward grids "Low", "Medium", "High" & "Critical"

Version 7

• Removed scopes (no longer relevant)
  1. ywh.www.zebottin.fr
  2. ywh.static.zebottin.fr

Version 6

• Migrated all MySQL tables to MongoDB collections (in preparation for a future load-balanced configuration)

Version 5

• Addition of note concerning some restricted scopes.

Version 4

• Increase in the reward grids "High" & "Critical"
• Addition of 7 new scopes :
  • ywh.update.zecible.fr
  • odoo13.notebleue.pro
  • registre.notebleue.pro
  • svn.notebleue.pro
  • todo.notebleue.pro
  • webtoolbox.notebleue.pro
  • cam.notebleue.pro

Version 3

• Addition of 6 new scopes :

  • ywh.api.zecible.fr
  • ywh.dev.zecible.fr
  • ywh.crons.zecible.fr
  • ywh.routage.zecible.fr
  • ywh.www.zebottin.fr
  • ywh.static.zebottin.fr

  • Renaming of 5 scopes

  • dev.comptage.zecible.fr to ywh.comptage.zecible.fr

  • dev.static.zecible.fr to ywh.static.zecible.fr
  • dev.fichiers.zecible.fr to ywh.fichiers.zecible.fr
  • dev.mydata.zecible.fr to ywh.mydata.zecible.fr
  • dev.admin.zecible.fr to ywh.admin.zecible.fr

Version 2

• Addition of 3 new scopes :
  • dev.fichiers.zecible.fr
  • dev.mydata.zecible.fr
  • dev.admin.zecible.fr

Version 1

• Inital program submission.

PUBLIC PROGRAM DESCRIPTION

Company

Note Bleue via its Zecible brand provides companies with a selection of prospecting files of professionals and individuals :

• 33 million B2C profiles with many profiling criteria (age, income, sex, interests, etc.)

• 11 million companies (head offices, establishments, turnover, workforce, sector of activity, etc.)

• 1.9 million direct contacts of Executives, Decision-makers, and Executives classified by function and service

Program Rules

• We have a team of in-house developers, who will be ready to be responsive to your reports and work collaboratively with you if you think you have identified a security bug.

• Although we pay attention to the security aspects of our servers and applications, we also know that nothing is infallible...

• We are pleased to work with qualified people to help us identify the weaknesses of our technology.

• Any type of denial of service attack is strictly prohibited, as well as any interference with our network, equipment or infrastructure.

• We do not want the discoveries to be disclosed to the public or to a third party.

Eligibility and Responsible Disclosure

We want to financially reward all those who submit valid reports to us and help us improve the security of our services. The eligibility requirements for receiving rewards after discoveries of deficiencies are as follows :

• You must be the first person to reveal a valid vulnerability (not every duplicate report will be rewarded),

• The vulnerability must be an acceptable vulnerability associated with a site or server in "Scope".

• Any vulnerabilities found must be reported within 24 hours of discovery and only through the Bug bounty program at www.yeswehack.com

• You must not publicly disclose any vulnerabilities,

• You must send a clear textual description of the report and the steps to follow to reproduce the issue, including attachments such as screenshots or proof of concept code if necessary.

• You must not perform tests that could cause a degradation or interruption of our service (avoid using automated tools, and limit yourself to a maximum of 2 requests per second).

• You must not disclose, manipulate, extract or destroy any user data or any data to which you have access.

• You must not be a former or current employee of Zecible or one of its subcontractors.

• Please focus on qualifying vulnerabilities

• We intend to respond and resolve the reported issues as quickly as possible. Depending on our workload and the severity of the issue, you can expect an update from us within 24 to 96 hours maximum following the initial submission date of the report.

• Zecible reserves the right to modify the terms of this program or terminate it at any time.

What is the sensitive data

• All information from the databases.

• Any private information about our customers, employees or one of our vendors / subcontractors.

REWARDS

Zecible will provide rewards to eligible reporters of qualifying vulnerabilities.

Reward amounts may vary depending upon the severity of the vulnerability reported and based on the CVSS environmental score (Zecible will rate the base, temporal and environmental CVSS metrics).

Zecible will determine in its sole discretion whether a reward should be granted and the amount of the reward.

COMMUNICATION CHANNEL

If you think you’ve found a vulnerability, please do not publicly disclose these details outside of this process without explicit permission. Please include the following details with your report and be as descriptive as possible :

• Vulnerability Location & Type - The exact location(vulnerable URLs and parameters) and the nature of the vulnerability;

• Steps to Reproduce - A detailed description of the steps required to reproduce the vulnerability (screenshots, compressed screen recordings, and proof-of-concept scripts are all helpful); and

• Attack Scenario - A relevant example attack scenario explaining the prerequisites to the attack, and its exact impact in a realistic context.

NOTE CONCERNING SOME RESTRICTED SCOPES

Some scopes are restricted (IP/Login/Password) and reserved for internal use. They are supposed to be accessed only by Zecible and are strictly confidential.

It is therefore expected that you do not (easily) access them... We included them in the public program in order to test the accuracy of the defined restrictions.

Here are all the scopes concerned :

1. odoo13.notebleue.pro
2. registre.notebleue.pro
3. svn.notebleue.pro
4. todo.notebleue.pro
5. webtoolbox.notebleue.pro
6. cam.notebleue.pro

REPORTS OF LEAKS AND EXPOSED CREDENTIALS

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:

• Exposed credentials in/from an out-of-scope asset/source
• Sensitive information exposed in/from an out-of-scope asset/source

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources
• Exposed credentials that are not applicable on the program’s scope
• Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
• Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related tothe program’s scope
• Exposed PII on an out-of-scope asset

Eligible reports

Reports of exposed secrets, credentials and sensitive information will be considered eligible if it complies with the following :

• The source of exposure/leak is under Zecible control, directly or indirectly. (e.g. stolen information or bundled information from a random source is not eligible)
• The exposed information has been verified (or tested) and confirmed
  If you identify a source (under our control) that is leaking multiple data, we kindly ask you to report it in a single report and we will consider the impact based on the nature and depth of the exposed data.

To summarize our policy, you may refer to this table :

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

• DO NOT alter compromised accounts by creating, deleting or modifying any data
• DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
• In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Qualifying vulnerabilities

• Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes.

Non-Qualifying vulnerabilities

• Stolen secrets, credentials or information gathered from a third-party asset that we have no control over