True Vikings never entered the battlefield without their helmets. And we
believe a secure environment, just like free access to open communication, is
a worldwide human right. But even the best Viking Drakkars may sometimes
encounter vulnerabilities. Brave sailors who discover leaks should be honored
- not executed.
Together with you and our broad community, we want to create a secure and safe
environment for everyone. Give us reasonable time to respond, before you make
any information public. Also avoid privacy violations, destruction of data and
interruption or degradation of our service during your research.
Grab your battle axes and conquer those bugs!
[10/01/18] - Updated non-qualifying bugs, correct link to account-only form
[22/04/15] - Scope updated, new website .vikingco.com added
PLEASE READ - Important notes
- Please do NOT use automatic scanners - be creative and do it yourself! We can not accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's :-))
- Please do NOT discuss bugs before they are fixed. You can send us a video as proof of concept, but remember to change its privacy settings to private
- Upon registration, please use "HackerOne" as your last name - so our sales team knows not to flood you with SIM cards. ;-)
- You can register an account here: https://mobilevikings.be/en/registration/account/ __
At the moment, we are only accepting submissions for:
We're interested in all kinds of bugs that could affect user data or Mobile
Vikings' integrity. These include - but are not limited to - the following
- Remote Code Execution
- SQL Injection
- File Inclusion / Directory Traversal
- Cross Site Scripting
- Cross Site Request Forgery with a realistic attack scenario
- Privilege escalation
- Significant enumeration attacks
- Open redirects
- Social engineering attacks
- Low-level HTTPS/SSL best practices
- Best practices in general
- Denial of Service attacks
- Bugs found using automated scanning tools
- Publicly published bugs
- Banner/version disclosure
- Missing headers (except if this implies a significant risk)
- Brute force attacks
- Login/logout CSRF
- Password complexity reports
- Low risk reports without a realistic or exploitable attack scenario (e.g. a login/logout CSRF)
- Issues with password reset token expiry links that require access to the victims mailbox
Attributes to a good report
- Provide detailed but to-the point reproduction steps
- Include a clear attack scenario. How will this affect our Viking user base?
- Remember: quality over quantity!
- We will respond to report in ultimately two weeks, probably faster (average would be a couple of hours, also in the weekend ;-))
We will honor every viking that sends in a valid report in our HackerOne
Viking Hall of Fame!
We don't do bounties on HackerOne.
This program have been found on Hackerone on 2015-02-18.