True Vikings never entered the battlefield without their helmets. And we believe a secure environment, just like free access to open communication, is a worldwide human right. But even the best Viking Drakkars may sometimes encounter vulnerabilities. Brave sailors who discover leaks should be honored - not executed.

Together with you and our broad community, we want to create a secure and safe environment for everyone. Give us reasonable time to respond, before you make any information public. Also avoid privacy violations, destruction of data and interruption or degradation of our service during your research.

Grab your battle axes and conquer those bugs!

Latest news

[10/01/18] - Updated non-qualifying bugs, correct link to account-only form
[22/04/15] - Scope updated, new website .vikingco.com added

PLEASE READ - Important notes

• Please do NOT use automatic scanners - be creative and do it yourself! We can not accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's :-))
• Please do NOT discuss bugs before they are fixed. You can send us a video as proof of concept, but remember to change its privacy settings to private
• Upon registration, please use "HackerOne" as your last name - so our sales team knows not to flood you with SIM cards. ;-)
• You can register an account here: https://mobilevikings.be/en/registration/account/ __

The scope

At the moment, we are only accepting submissions for:
.mobilevikings.be
.vikingco.com

Accepted bugs

We're interested in all kinds of bugs that could affect user data or Mobile Vikings' integrity. These include - but are not limited to - the following bugs:

1. Remote Code Execution
2. SQL Injection
3. File Inclusion / Directory Traversal
4. Cross Site Scripting
5. Cross Site Request Forgery with a realistic attack scenario
6. Privilege escalation
7. Significant enumeration attacks
8. Open redirects

Non-qualifying bugs

1. Social engineering attacks
2. Clickjacking
3. Low-level HTTPS/SSL best practices
4. Best practices in general
5. Denial of Service attacks
6. Bugs found using automated scanning tools
7. Publicly published bugs
8. Banner/version disclosure
9. Missing headers (except if this implies a significant risk)
10. Brute force attacks
11. Login/logout CSRF
12. Password complexity reports
13. Duplicates
14. Low risk reports without a realistic or exploitable attack scenario (e.g. a login/logout CSRF)
15. Issues with password reset token expiry links that require access to the victims mailbox

Attributes to a good report

1. Provide detailed but to-the point reproduction steps
2. Include a clear attack scenario. How will this affect our Viking user base?
3. Remember: quality over quantity!

Response timeframe

1. We will respond to report in ultimately two weeks, probably faster (average would be a couple of hours, also in the weekend ;-))

Reward?

We will honor every viking that sends in a valid report in our HackerOne Viking Hall of Fame!
We don't do bounties on HackerOne.