CCM Benchmark Group
CCM Benchmark Group is a french online media. We run a network with more than
40 sites in 13 languages, about high-tech, news, health, economy and more. We
have more than 50 millions of visitors monthly.
Even if don’t store any serious personal info, we take the security very
seriously. That’s the reason we are trying to challenge our code and want to
reinforce our practices.
The current program is about our app “restaurant” on our website
The scope of this program includes the following url :
The URLs containing /cgi are out of scope and should not be tested.
Some features of this application will need you to create an account. The
whole account management (login/logout) is out of scope. So you can create
an account in order to access to all features but don’t report anything
regarding to login / logout, sessions, ...
Report security vulnerability
If you believe you have discovered a security vulnerability in a CCM Benchmark
website, please report it with a thorough explanation of the vulnerability.
Please remember to include full details of the security issue, including
Proof-of-Concept URL, the details of the system where the tests were conducted
when needed and detailed reproduction steps. Your report must be reproducible
to be considered as valid.
The following vulnerabilities are excluded of all our programs:
- Login / Logout CSRF
- Password and account recovery policies, such as reset link expiration or password complexity
- Use of a known-vulnerable library (without evidence of exploitability)
- Reports from automated tools or scans
- Vulnerabilities affecting users of non supported browsers or platform
- Social engineering
- Any physical attempts against CCM Benchmark Group property or data centers
- Vulnerability on third party software or network (like any CDN we use)
- Issues with no security impact
- Any vulnerability regarding to lack of encryption on some pages
You must make good faith effort to avoid any data destruction, interruption or degradation of any of CCM Benchmark Group services,
You must agree and comply to our program rules,
You must be the first person to disclose a vulnerability,
You must not publicly disclose any vulnerability,
You must not violate any local, state, national or international law.
If you want to test or create any resource (restaurant, comment, etc), you must prefix it's name with "BBounty". It will help a lot our team to identify and delete them after your tests :)
- Chrome 52 +
- Firefox 43 +
- Safari (on mac os and iOs)
- Internet Explorer >= 9
CCM Benchmark Group will give some rewards at our discretion for a serious and
reproductible vulnerability. You are responsible for any applicable taxes
associated with any reward you receive. Any report that result in a change on
our codebase will be rewarded, at minimum, by a 50€ reward and a Hall of Fame
Please note that we may modify the terms of this program or terminate it at
- 2017-04-10 : edit scope, add 2 exceptions (http://www.linternaute.com/restaurant/expert/ and http://www.linternaute.com/restaurant/questionnaire/)
- 2017-04-12 : edit scope, add 1 exception (http://www.linternaute.com/restaurant/flash/*) and add prefix rule for restaurants' creation
- 2017-04-24: re-opening of program and scope modifications (switch from exclude to include ;) )
- 2017-11-13: Edit scope: add prefix for any resource created, not just for restaurants
Hall of Fame