Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
19/10/2015
Maximum logo
Thanks
Gift
Hall of Fame
Reward

Reward

Maximum

Changelog:

  • 06-11-2019 Added domain careers.evonik.com to scope.
  • 04-11-2019 Updated Please do not report section with out-of-date Wordpress or Wordpress plugins.

Optimizing safety when it comes to the ICT systems is a top priority for Maximum. However, as such systems remain vulnerable, possible loopholes and weaknesses cannot be eliminated.
Hence, we would love to hear from you if you have found a weakness in one of our ICT systems. We will handle the safety issues accordingly, and therefore we make use of the following policy:

What we ask of you:

To provide enough information to reproduce the safety issue, ensuring that Maximum can solve the problem quickly. More often than not, the IP-address or the URL of the ICT system and a description of the shortcoming(s) will be enough. However, when it is a more complex problem, an elaborate description could be necessary.

To not share the information regarding the safety issue until it has been solved.

To act responsibly and accordingly by not executing more than necessary actions required for the identification of the safety issue.

Please do report:

Persistent Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF/XSRF)
Broken Authentication
Circumvention of our framework's privacy and permission models
Remote Code Execution

Please do not report:

Username dictionary attack
Self-XSS
Missing / loosely configured DNS SPF records
Social hacking
Publicly accessible login pages for cms/admin area
Security vulnerabilities in third-party applications (like Kerio) that are not patched in the latest version
Denial of Service Vulnerabilities
Missing HSTS header / Secure cookie flag (https on this site is not enabled in every part of the world)
Missing DNSSEC (we're working it)
Password reset email capture
Attacks requiring DNS takeover
Webmail accessible over non-secure connection
Missing CSP headers (we're working on it)
Subresource Integrity (SRI) not implemented
Missing Public Key Pinning headers
Mail relay server configuration issues
Wordpress or Wordpress plugins out-of-date versions within 30 days (we need time to update all our websites when a new version is out)

Whatever you do, please avoid the following actions:

Spreading or distributing malware.
Copying, changing or deleting data in the system (an alternative would be making a directory listing of the system).
Changing the system.
Repeatedly acquiring access to the system or sharing the access with others.
Making use of “bruteforcing” the access to the system.
Making use of a denial-of-service or social engineering.

What you can expect:

When a shortcoming in maximum.nl is reported accordingly to the above stated terms and conditions, Maximum will not articulate any legal consequences to the notification.
Maximum will process the report confidentially and no personal details without permission will be shared with third parties, unless this is a legal requirement.
After consultation, Maximum can acknowledge you by publishing your name as the one who identified this particular safety issue.

Within five working days, the system operator of maximum.nl will send you a confirmation of receipt.
Within ten working days, the system operator of maximum.nl will send you an evaluation of the safety issue. This will include an estimation of the time that it will take to solve the problem.
The system operator of maximum.nl will keep you updated on the progress of solving the safety issue.
The system operator of maximum.nl will try to resolve the safety issue as soon as possible, within a maximum time period of 60 days. After consultation with Maximum, it can be decided if and how the resolved safety issue will be published.
To thank you, a reward will be offered by Maximum. This reward will vary depending on the seriousness of the issue and the quality of the report.

In Scope

Scope Type Scope Name
web_application

werkenbijdefensie.nl

web_application

werkenbijfacilicom.nl

web_application

www.werkenbijbakertilly.nl

web_application

maximum.nl

web_application

werkenbijmcdonalds.nl

web_application

werkenbijderet.nl

web_application

mijn.werkenbijdefensie.nl

web_application

devmaximum.com

web_application

careers.evonik.com

Out of Scope

Scope Type Scope Name
web_application

maximum.com

web_application

mandrill.maximum.nl

web_application
web_application

evonik.com


This program crawled on the 2015-10-19 is sorted as bounty.

FireBounty © 2015-2019

Legal notices