FireBounty Alasco GmbH - Bug Bounty Program Vulnerability Disclosure Program

Link to program

2023-02-28

Thank

Gift

HOF

Reward

Alasco GmbH - Bug Bounty Program

About Alasco GmbH

Alasco offers state of the art software for financial controlling and ESG management.
Security is very important to us and this Bug Bounty program shall help us meet highest industry standards to offer the most secure service and experience to all parties.

Program Rules

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

Denial of service (DoS) attacks on Alasco GmbH applications, servers, networks or infrastructure are strictly forbidden.
Tests that could cause degradation or interruption of our services are strictly forbidden.
Do not use automated scanners or tools that generate large amount of network traffic, or use them the gentle way (max 1 request per second).
Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
Do not copy any files from our applications/servers and disclose them.
No vulnerability disclosure, full, partial or otherwise, is allowed.
Do not spam registration forms on our websites, eg https://www.alasco.de/explore/
You must append the defined user-agent to all web-based requests
Testing of the forms on our website is permitted, but please ensure that all actions are conducted thoughtfully to avoid spamming. Be conscious of the impact your testing may have and avoid repetitive or excessive submissions.

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of Alasco GmbH, however only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The same vulnerability in different scopes will only count as one vulnerability.
The vulnerability must be a qualifying vulnerability (see below).
The report must contain the following elements:
- Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Alasco GmbH, and remediation advice on fixing the vulnerability
- Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
- Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
You must not break any of the testing policy rules listed above
You must not be a former or current employee of Alasco GmbH or one of its contractors.

Reward amounts are based on:

Reward grid of the report's scope
CVSS scoring and actual business impact of the vulnerability upon performing risk analysis
Discretionary judgement of Alasco‘s CISO

In Scope

Scope Type	Scope Name
api	api.alasco.de
web_application	app.alasco.de
web_application	*.alasco.de
web_application	*.alasco.rocks

Out of Scope

Scope Type	Scope Name
undefined	All other domains or subdomains not listed in the above list of 'Scopes'.
undefined	Please note that all non-authenticated areas of our systems are in scope for this program. This means that any vulnerability discovered in a system or service that does not require a login to access is eligible for a reward.
undefined	However, any vulnerability discovered in a system or service that requires a login to access is outside the scope of this program.
undefined	Alasco will not provide access credentials to any system, not for testing and also not for issue validation.
web_application	www.alasco.de
web_application	alasco.de
web_application	explore.alasco.com
web_application	explore.alasco.de

This program have been found on Yeswehack on 2023-02-28.