Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
22/11/2017
LocalTapiola logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

LocalTapiola

"Any updates??" - aka the LocalTapiola Bug Bounty Microblog

  • 6 November 2019: We have added lisasijoitus.lahitapiola.fi, verovelvollisuustiedot.lahitapiola.fi, and sijoitusvakuutus.lahitapiola.fi to our scope. Please look at the asset descriptions for further information.
  • 27 April 2019: We have some new features that we would like to let you know about. There is a new application for cyber insurance which can be found here: https://www.lahitapiola.fi/yritys/vakuutukset/omaisuus-ja-toiminta/kybervakuutus __. There is also a new damage report form which has an entry point here https://www.lahitapiola.fi/henkilo/hae-korvausta/ajoneuvo/kolaroin-oman-ajoneuvoni __- please do note that this form requires you to be an existing customer and you need to be able to log in to our services.
  • 25 March 2019: www.lahitapiolarahoitus.fi __is removed from the scope.
  • 9 December 2018: We have added a new exciting target "1439784468" to our scope! In clear terms, the LemmikkiHelppi iOS -apps is now part of our program.
  • 28 August 2018: toimitilat.lahitapiola.fi has been taken off the program due to issues in overall response times
  • 12 June 2018: Bug Bounty operations will slow down between June 18 and August 10. Triaging will be significantly slower and there are no production updates during this time. Reports are still welcomed of course!
  • 25 May 2018: Happy GDPR day! We have added a few lines about privacy in our policy.
  • 11 Mar 2018: Two new domains - www.lahitapiolarahoitus.fi __and myynti.lahitapiolarahoitus.fi have been added. As always - read the instructions before reporting, or risk the chance of n/a.
  • 2 Mar 2018 UPDATE jasenet.hr-palvelut.com is taken out of the scope until further notice. We are assessing the security level with the service provider to make sure this domain can be made eligible for our bug bounty program again. All submitted reports will be duly processed, no new reports will be accepted.
  • 2 Mar 2018 - Another addition to our scope - jasenet.hr-palvelut.com is here. No brute scanning and no best practices reports will be processed - do read the fine print about the asset first.
  • 13 Jan 2018 - A new addition to our scope - the secure messaging service - is added. Now before you get your scanners out and start submitting results - again, do read the instructions. The most successful of you will leave your nmaps and likes behind.
  • 7 Jan 2018 - A new addition to our scope - toimitilat - is added.
  • 17 Dec 2017 - We would like to remind hackers that reporting out of scope findings is a known risk that might lead to reports being closed as N/A.
  • 21 Sep 2017 - We are public again. Welcome quality reports.

The LocalTapiola bug bounty program

We expect all reporters to be professional in their manners, have the ability to submit a quality report and have a decent understanding of how our bug bounty program works.

In order to avoid misunderstandings and ambiguities, please read this policy AND the notes in our submission form before participating.

We want to hear about any security vulnerabilities in our services. We offer monetary rewards for eligible security vulnerability reports that are disclosed to us in a coordinated way. These are the rules that need to be followed to ensure that your security research does not cause security risk to other users or their data, and to decrease the likelihood that your research would be flagged as a malicious intrusion attempt by our monitoring. We also want to be clear about certain aspects relating to acceptance of reports and payment of rewards in order to avoid any surprises.

Our bounty policy

Qualified security vulnerabilities will be rewarded based on severity and impact, to be determined by the LocalTapiola security team.

We want to be fair in our bounties - similar reports will be awarded in a similar manner. We assess all reports based on business risk - criticality - and impact. Therefore we reserve all rights to make bounty policy changes. Changes in bounties will never be retrospective. Our bug bounty program is constantly evolving.

We aim to "bounty-on-triage" - that is, make bounty decisions as soon as possible. The time to resolve issues can take a significant time and we want to be fair to the reporters regarding time spent and payouts.

Due to complex import regulations in different parts of the world, swag is only available to our Finnish hackers.

About our customers privacy and how we handle the GDPR

Our bug bounty program is an additional strategic component in our ICT risk management process. As such, the bug bounty program also falls under the umbrella of security testing. Security testing engagements
occasionally run into live production data which may or may not contain PII (personally identifiable information). Whenever PII data is encountered during testing, we expect and require any and all persons
involved to handle that data with utmost care. Showing or proving the existence of a flaw does likely not require any data dumps - so even if possible, no dumping of PII data is allowed. Ever. Any exfiltrated PII
data must immediately be deleted and any testing that might result in further PII being revealed must be halted. Do not store PII data. PII data samples, if needed in the report, should be properly obfuscated
before posting. This includes submitting reports that contain your own data. In the case where PII data is posted in a report we will redact that information as soon as possible. If after the redaction the report is unintelligible, it will not be processed.

Our bounty policy allows us to add a bonus for finding flaws related to PII - when properly reported we usually do.

Please do note that email addresses, phone numbers as well as pictures of our staff which is available on our public websites does not count as a data leak.

Rewards

Rewards may range from $50 up to $50,000. Rewards are NOT based on vulnerability classifications nor technical gimmicky trickery. Rewards are based on business impact. That being said, certain technical vulnerabilities - like RCE against a customer system - will always carry a huge business impact. However, not all targets are equally valuable.

In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be paid.

Rewards may be reduced or declined if there is evidence of abuse or breach of the LocalTapiola Bug Bounty program rules.

Criticality and impact

Reward amounts will vary based upon the severity of the reported vulnerability. The bigger the potential impact on users and customer data, the bigger the reward will be. The following factors affect the reward

  • customer scope (how many customers are potentially affected)
  • internal users scope (how many users are potentially affected)
  • systems extent (how many systems are potentially affected)
  • authentication requirements (prerequisites for exploiting)
  • difficulty of exploitability (additional requirements for exploiting)
  • exploitability time window (limitations to exploiting)
  • classification of data affected (privacy related)

ALL REWARDS, INCLUDING BUT NOT LIMITED TO THE EXAMPLES BELOW, ARE ALWAYS SUBJECT TO CRITICALITY AND IMPACT BASED ASSESSMENTS WHICH MAY REDUCE THE ACTUAL REWARD.

Minimum $5000 - examples:

  • Remote code execution on production systems housing sensitive data/functionality
  • Access to ciritical customer data
  • Gaining access to a customer client device
  • Changing critical functionality of a system which may lead to severe system misuse
  • Stealing identities or directly exploiting customer identities
  • A combination of several lesser issues which in combination may lead to severe outages to systems

Minimum $1500 - examples:

  • Remote code execution on secondary/segregated low criticality systems
  • Accessing customer data or manipulating customer data with minor privacy impact
  • Data leaks from internal systems
  • Blind stored XSS with proven and relevant business impact
  • Unathorized access to internal systems
  • Privilege escalations with major impact

Minimum $500 - examples:

  • Subdomain takeovers
  • User rights elevation with minor data impact
  • Privilege escalations with minor impact
  • Technical SQL injection with customer data affected

Less than $500 - examples:

  • Header / cookie injections
  • XSS and Open Redirects
  • Html injections in emails
  • Injections enabling realistic phishing scenarios
  • Single user dos or client-side dos

Program Rules and further information

Language

We run our program in universal english and expect all reports to be submitted in english. That is, spoken or conversational english. We do appreciate the fact that reporters come from around the world - but if you are submitting reports to our program we require that you can have a decent discussion around the finding that has been submitted.

A few basic groundrules

We are pleased to reward everyone who submits valid reports which help us improve the security of LocalTapiola, however, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (as described in these rules) associated with affecting an in-scope site (see below).
  • You may not publicly disclose the vulnerability prior to our resolution

We only disclose reports publicly that are resolved. Also remember - If we cannot reproduce it, we cannot reward you. Make sure your reports are well written. There is no need to describe the security impact of your finding - we understand security risks and we can figure that out.

Internal pivoting, scanning, exploiting, or exfiltrating data from internal LocalTapiola systems is prohibited. Do not exploit vulnerabilities more than you need to prove your point. Do not steal data and do not use malicious or destructive payloads. Don't break the law.

We welcome vulnerability reports about out of scope LocalTapiola services or public web pages, too - as long as there is an actual business impact involved. Speculative reports, pure scanning tool results, best practices and copy-paste bountybegging reports will brutally and ruthlessly be closed as n/a. Don't waste our time and we won't waste yours.

Finnish bug hunters: please note that bug bounty reports shall be in English not Finnish. Thank you for your understanding.

Regarding duplicates

We get a lot of duplicates - especially when it comes to easy-to-find and simple issues which are mostly low-value findings. We always link back to the original report, regardless of if the original issue is publicly disclosed or not. If the original report is not disclosed, it will most likely be disclosed later, at which time you can verify it. The simple answer to the question "if it is not publicly disclosed, how can I verify it" is, you have to trust us. We know what we are doing.

According to our internal ways of working, we do not add reporters of duplicates to the original reports. Of course, we reserve the right to make exceptions to prove this rule.

Reports that are most likely to be dismissed or not eligible for bounty

  • Most best-practices -based reports will be dismissed
  • Reports that are not directly related to the web-applications on our in-scope domains will most likely be dismissed
  • Reports with very low business value (nonexistent risk, very low impact, ...) or reports that are purely theoretical will most likely be dismissed
  • Physical or social engineering attacks that pose a direct personal threat will NEVER be processed
  • Reports that are plain copy-paste from automated scanners with clearly no thought behind how to exploit the findings will most likely have a low (or no) bounty awarded
  • It is not worth reporting self-exploitation or self-xss - there will be no bounties

To sum it up - we appreciate reports where vulnerabilities have a proof of (minimal) exploitation included. We appreciate reports around issues that carry significant business value to us. Again, we reserve the right to make exceptions to prove these rules. Subpar English skills (talking plainly through Google Translaite) will most likely lead to mutual dissapointment as we will most likely not find a common understanding. Explaining business impacts require good report writing skills.

Versions numbers and CVE-codes

We run a number of off the shelf products, commercial as well as open source. We do not accept reports purely based on CVE numbers and copy-pasted information from any CVE-database or scanning tools. As this usually involves scanning for version numbers, we do not accept reports with no (almost) other information than a version number. Patching and fixing for these kinds of vulnerabilities are part of our normal updating and patching cycles and we will not award any bounties for these kinds of reports. Having said this, we do NOT exclude reports that rely on known vulnerabilities nor findings which are very much business oriented and have a proven PoC against either our data or customers, regardless of how the vulnerability has been found (through a known CVE or based on finding a version number).

Our policy regarding vulnerabilities in 3rd party commonly used and

widespread libraries

We accept reports on vulnerabilities and flaws found in 3rd party commonly used and widespread libraries which we are using in our services and applications. However, we strongly encourage to report these findings upstream directly to the author of the affected libraries. We regard these findings as "heads-up" warnings and our bounty policy is strict - the bounty for a vulnerability in a common 3rd party library that we will eventually fix and/or patch is always $100 USD - awarded on triage. In the name of making the Internet a safer place and in the case where the reporter does not want to handle the upstream reporting to the authors of the library, we reserve the right to do so ourselves.

Legal

In connection with your participation in this program you agree to comply with all applicable local and national laws.

You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.

Vulnerabilities obtained by exploiting LocalTapiola users or employees are not eligible for a bounty and will result in immediate disqualification from the program.

LocalTapiola has never given permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of LocalTapiola customers and publicize this information on the open, public-facing Internet without customer consent, nor has LocalTapiola ever given permission for programs or data belonging to LocalTapiola to be modified or corrupted in order to extract and publicly disclose data belonging to LocalTapiola.

LocalTapiola reserves the right to discontinue this reward program and change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related thereto do not provide or imply any obligations to LocalTapiola of any kind.

Thank you for helping keep LocalTapiola and our customers safe!

In Scope

Scope Type Scope Name
web_application

www.tapiola.fi

web_application

myynti.lahitapiolarahoitus.fi

web_application

yrityspalvelu.tapiola.fi

web_application

motorfnol.lahitapiola.fi

web_application

ext-gw.lahitapiola.fi

web_application

www.lahitapiola.fi

web_application

verkkopalvelu.tapiola.fi

web_application

viestinta.lahitapiola.fi

web_application

https://www.lahitapiola,fi __

web_application

www.lahitapiola.fi __

web_application

secure.lahitapiola.fi

web_application
  • Using the smtp server to relay spam
web_application
  • Leaking the actual contents of another users email
web_application
  • Modifying contents or attachments of another user
web_application

https://itunes.apple.com/fi/app/lemmikkihelppi/id1439784468?mt=8 __

web_application

verovelvollisuustiedot.lahitapiola.fi

web_application

lisasijoitus.lahitapiola.fi

web_application

https://www.lahitapiola.fi/henkilo/sijoitukset-ja-varainhoito/kirjaudu- rahastojen-ja-varainhoidon-verkkopalveluun __

web_application

sijoitusvakuutus.lahitapiola.fi

Out of Scope

Scope Type Scope Name
web_application

omatalous.lahitapiola.fi

web_application

email.lahitapiola.fi

web_application

lml.lahitapiola.fi

web_application

tunnistus.lahitapiola.fi

web_application

authenticate.lahitapiola.fi

web_application

www.lahitapiolarahoitus.fi

web_application

toimitilat.lahitapiola.fi

web_application

jasenet.hr-palvelut.com

web_application

tandemkirje.lahitapiola.fi

web_application

tandem.lahitapiola.fi

web_application

*.lahitapiola.fi

web_application

*.localtapiola.com

web_application

*.lahitapiola.com

web_application

*.tapiola.com

web_application

hallintoportaali.lahitapiola.fi


This program crawled on the 2017-11-22 is sorted as bounty.

FireBounty © 2015-2019

Legal notices