Banner object (1)

Hack and Take the Cash !

626 bounties in database


Colruyt Group

Colruyt is a family business from Lembeek, in the province of Flemish Brabant, and was founded more than 80 years ago. Today, the small company has developed into a family of companies: the Colruyt Group. A flourishing player, active in 4 countries with numerous retail formulas.

Initially, the supermarket Colruyt was the parent company for all the new store formulas (DreamLand, OKay, Bio-Planet, etc.). As these companies also grew into mature companies in the course of time, they felt the need to become self-sufficient. Colruyt is no longer the supporting cradle, but a sister amongst sisters. And Colruyt Group is today a family of equal sister companies.IMPORTANT: The websites Colruyt, Dreamland, Dreambaby and Collishop partially share the same codebase. They can contain common issues. If a specific issue has already been found in another one of these websites it will be treated as a duplicate for this one.

We do not accept any kind of brute-forcing attacks on forms.

All XTRA services are out of scope in this project

The XSS in the search bar on is a known issue, please don't report this, since this will be marked as duplicate.

General Best practices concerns Highly speculative reports about theoretical damage. Proof it and be concrete. DDoS or any kind of Brute Forcing Attacks Publicly accessible login panels Reports that state that software is out of date/vulnerable without proven exploitable risks Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue in the context of our tool * Physical or social engineering attempts (this includes phishing attacks against employees)

Application Stack trace information Open redirects XSS issues in non-current browsers (older than 3 versions) Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console) Cross-site Request Forgery (CSRF) Missing cookie flags on non-security sensitive cookies Missing security headers which do not present an immediate security vulnerability Banner grabbing issues (figuring out what web server we use, etc) Clickjacking Username/email enumeration via Login Page or Forgot Password error messages * Host header injection

Infrastructure Open ports without an accompanying proof-of-concept demonstrating vulnerability Recently disclosed 0 day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues. Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs) Missing SPF, DCIM or DMARC records

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.


  • Remote Code Execution


  • Access to all customer personal details
  • SQL injection


  • Stored XSS without user interaction
  • Privilige escalation
  • Authentication bypass on critical infrastructure


  • XSS that requires user interaction
  • CSRF with a significant impact


  • CSRF with a very limited impact
  • Weak ciphers/certs



We have knowledge about the self-XSS in the searchbar on, please don't report this

Guidelines Provide detailed but to-the point reproduction steps Include a clear attack scenario, a step by step guide in the PoC is highly appreciated Abide with the "Colruyt Policy for investigation of security problems" set of rules. Please do NOT discuss bugs before they are fixed (including PoC's on youtube and vimeo)

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018