Program Bug Bounty

"Bounty hunting" znamená v preklade niečo ako "Lov na odmenu". A my sme sa rozhodli jeden taký lov vyhlásiť, podobne ako naši kolegovia v Deutsche Telekom ešte v roku 2013. Cieľom lovu sú tzv. „bugy“ – chyby a slabina na našich webových stránkach. Aj keď sa o bezpečnosť našich služieb neustále staráme ako najlepšie vieme, sme realisti. A je nám jasné, že aj popri všetkej snahe, spoľahlivých systémoch a neustálej kontrole, sa môže objaviť niekde nejaká trhlinka. Presne preto sme sa rozhodli poprosiť o pomoc aj vás. A samozrejme, nechceme to úplne zadarmo. V tomto programe sa zameriame výhradne na bezpečnosť nášho portálu www.telekom.sk. Bug Bounty bude prebiehať tak dlho, kým to bude potrebné a nevyhlásime koniec loveckej sezóny. Na love sa môže prakticky zúčastniť ktokoľvek, okrem súčasných a bývalých zamestnancov všetkých spoločností skupiny Deutsche Telekom, ako aj ich príbuzných.

Ešte pred začatím lovu je dobré si povedať niečo o základných pravidlách:

• Odmena patrí každému, kto odhalí chybu, ktorá nie je verejne známa. Musí ale ísť o prvý report (právo na odmenu má teda len ten, kto bug nahlási ako prvý).

• Každý účastník programu, ktorý narazí na zraniteľnosť portálov, je viazaný tzv. zodpovednou mlčanlivosťou (pozri nižšie).

• Chyby ulovené za pomoci skenovacích nástrojov sa nepočítajú.

• Odmena sa nevypláca ani za bugy založené na zastaraných (neopatchovaných) softvérových súčastiach tretích strán (teda nie T-Mobile alebo Deutsche Telekom).

• Report musí obsahovať príklad (unikátny dotaz alebo PoC kód) a detailný opis chyby vrátane typu webového prehliadača a jeho nastavení.

• Každý report prosím posielajte ako samostatný e-mail na adresu bugbounty(zavináč)telekom.sk.

Výška odmeny je závislá od prípadu a bude posudzovaná individuálne (záleží na závažnosti chyby). Aby ste mali predstavu, tu je stručný prehľad:

• SQL (exploitable) - odmena až 1 500 €.

• Remote Code Execution - odmena až 1 500 €.

• CSRF (authenticated) - odmena až 750 €.

• LFI / RFI - odmena až 300 €.

A navyše bude každý úspešný účastník zverejnený aj v našej sieni slávy (samozrejme, pokiaľ bude chcieť).

Každý účastník je viazaný „zodpovednou mlčanlivosťou“. Čo to znamená?

• Účastník nemôže poskytnúť akékoľvek informácie o objavenej chybe tretej strane.

• Nesmie zbierať dáta, ku ktorým sa prostredníctvom bezpečnostnej chyby dostane a ktoré by mohli byť považované za zákaznícke, a nesmie ich odovzdať nikomu ďalšiemu.

• Účastník nám poskytne všetky informácie o chybe, aby sme ju mohli čo najskôr opraviť.

• Účastník vynaloží všetko svoje úsilie, aby pri bezpečnostnom testovaní neobmedzil dostupnosť akejkoľvek nami poskytovanej služby.

Ak by ste mali ďalšie otázky, kontaktujte nás na adrese bugbounty(zavináč)telekom.sk.

Všetko jasné? Želáme úspešný lov!

Pravidelne aktualizujeme zoznam našich hrdinov - lovcov, ktorí sa aktívne zapojili do programu Bug Bounty.

Milan Kyselica - Cross-site scripting (XSS)

Yunus YILMAZ (@ynsy34) - Unsecured communication, Cross-site scripting (XSS), Cross-site request forgery (CSRF), Open redirect

Shaikh Yaser Arafat - Information Disclosure

Mohamed R. Serwah (@serWazito0) - Default login

Tijo Davis - Cross-site scripting (XSS), Unsecured communication, Misconfiguration of password reset functionality, Possible DoS Attack

Abhishek Karle (https://twitter.com/Abhishekkarle3) - Missing rate limit, Unsecured communication, Cross-site request forgery (CSRF), User enumeration

Yaroslav Oleynik (@oja_c7s) - Cross-site scripting (XSS)

Ben Chinoy - Anonymous access and privilege escalation

Raphaël Arrouas (linkedin.com/in/raphaelarrouas) - RCE, Cross-site scripting (XSS)

Furkan Yılancı - HTTP header

Muhammed Sadettin Karataş (www.linkedin.com/in/muhammed-sadettin-karataş-3a8518151) - SQL Injection

Emad Shanab - Information Disclosure

Ahmet Suna (www.linkedin.com/in/ahmet-suna-ab3ba9116) - Cross-site scripting (XSS),  Information Disclosure, Directory traversal

Cuma ak - Information Disclosure

Numan Türle (https://twitter.com/numanturle) - Remote Code Execution (RCE)

Yasser Mohammed (Neroli) (github.com/neroli-realy) - Cross-site scripting (XSS)

Cihan Mehmet DOĞAN  (https://twitter.com/cihanmehmets) - Cross-site scripting (XSS)

Ahmet Gurel (www.linkedin.com/in/ahmetgurell) - Information Disclosure, Cross-site scripting (XSS)

Ján Koliba - Unsecured Communication

Can Karacan (www.linkedin.com/in/can-karacan-69ba09b8/) - Cross-Site Scripting (XSS), Information Disclosure

Mehmet Can GÜNEŞ (@mehmetcangunes/) - Account takeover, Information Disclosure, Privilege escalation for server/application, Cross-site request forgery (CSRF), Email Confirmation bypass, Cross-site scripting (XSS), Open redirect

Mustafa Kemal Can (@muskecan) - Privilege escalation for server/application

vimal v (www.linkedin.com/in/vimal-v-244273168) - Remote Code Execution (RCE)

Prakash Kumar (www.linkedin.com/in/prakashofficial ) - Improper Session Management

surg4bij4k - Cross-site scripting (XSS)

Abhiram v (www.linkedin.com/in/abhiram-v-132a24188) - Cross-site request forgery

Burak Ünal (@_d4rkbrain) - Open Redirect, Cross-site scripting (XSS), HTTP header

Sijisu (sijisu.eu) - Privilege escalation for server/application, other

Ertuğrul Özdemir (twitter.com/ertugrulphp) - Cross-site scripting - Stored (XSS)

Jeff Steinburg (@ silentbreach) - Cross-site scripting - Stored (XSS)

SureshKumar Anbazhagan - Other

Eren Şimşek (Aporlorxl23) - Information Disclosure, Cross-site scripting (XSS)

Ertan Kaya (linkedin.com/in/ertan-kaya) - Remote Code Execution (RCE)

Mohd Waseyuddin (twitter.com/Waseyuddin) - Information Disclosure

Ayush Mangal (www.linkedin.com/in/ayush-mangal-48a168110) - HTML/CSS injection

Chan Nyein Wai (www.channyeinwai.com) - Cross-site scripting (XSS)

Ismail Tasdelen - (www.linkedin.com/ismailtasdelen) - Security Misconfiguration, HTTP header, Information Disclosure, User Enumeration, Cross-site scripting (XSS)

Akshay Parse - (www.linkedin.com/in/akshay-parse-0b1176199) - Broken Access Control, Cross-site scripting (XSS)

N.I.H.O. - Security misconfiguration

Nehal Pillai - (www.linkedin.com/in/nehal-pillai-02a854172) - Broken Access Control, User Enumeration

Harinder Singh - (www.linkedin.com/in/lambardar) - Information Disclosure

B11R1M - (ww/cehb11r1m//) - Open Redirect

Shivam Tahalani - (www.linkedin.com/in/shivam-tahalani-95b8b416a) - Cross-site scripting (XSS)

Muhammed Sadettin Karataş - Broken Access Control

Viren Saroha - (www.linkedin.com/in/viren-saroha-3391371a3/) - Broken Access Control, Missing rate limit

Dan Fabro - (https://dnx.zone/) - Cross-site scripting (XSS)

Shubham Garg - (https://www.linkedin.com/in/shubhampy) - Information Disclosure

Aleksei "GreenDog" Tiurin - (https://twitter.com/antyurin) - Remote Code Execution (RCE)

Aniket Deshmane - (https://twitter.com/AniketDeshmane9?s=08) - Broken Authentication

Talha Günay (@redStarP2) - Cross-site scripting (XSS), Information Disclosure

Selahattin Altuntaş - Broken Access Control

Bartłomiej Bergier - Open Redirect

Cyber Now Labs Red Team (https://cybernowlabs.com/) - Cross-site scripting (XSS)

Girish B O (https://www.linkedin.com/in/girish-b-o-a410bb1bb) - Broken Authentication, Possible DoS Attack, Information Disclosure, Unrestricted file upload

peterjson@VSRC (https://twitter.com/peterjson) - Remote Code Execution (RCE)

Sijisu (www.sijisu.eu/) - Cross-site scripting (XSS)

Bipul Jaiswal (www.linkedin.com/in/bipuljaiswal1337) - Information Disclosure, TOCTOU, Possible DoS Attack, Cross-site scripting (XSS), HTTP header

Mustafa Sanli - exhandler (www.linkedin.com/in/mustafasanli0) - Stored Cross-site scripting (XSS), Broken Authentication, Cross-site request forgery (CSRF), HTTP header

Mateusz Kowalczyk - Security misconfiguration

Subodh Kumar (www.linkedin.com/in/s-kustm, twitter.com/s_kustm) - Open Redirect, Cross-site scripting (XSS), Other

Ritik Jangra (www.linkedin.com/in/ritik-jangra-03b80a21b) - Missing rate limit

Roneil Bordallo (web.facebook.com/roneil.dx, twitter.com/roneilbordallo,  www.linkedin.com/in/roneil-bordallo-5492a8235/ ) - Broken Access Control, Cross-site request forgery (CSRF)

K Mohammed Danish faraz (www.linkedin.com/in/danish-faraz-70555bb9, www.twitter.com/DanishKakingare?s=09 - HTML/CSS injection

Ibrahim Saud M (www.linkedin.com/in/ibrahim-saud-38a338139, www.twitter.com/ibrahimsaudm?s=08 - HTML/CSS injection

exhandler - Open Redirect, Server-side request forgery (SSRF)

Mohammed Saqlain Mushrif (www.linkedin.com/in/saqlain-mushrif-b516741b7) - Information Disclosure

Muskan Meerajamadar (www.linkedin.com/in/muskan-meerajamadar-2631231a3) - User Enumeration

Sugumaran J - Information Disclosure

Durvesh Pravin Kolhe (www.linkedin.com/in/durvesh-kolhe-012b54211) - Broken Access Control

Onkar Borude - Missing rate limit

Yash Kushwah (www.linkedin.com/mwlite/in/yash-kushwah-a80449229) - Missing rate limit

Suraj Nandlal Saroj (CPEH CPTE CSA) - Missing rate limit

Maheta Keyur Maheshbhai (https://www.facebook.com/keyur.maheta.184) - Information Disclosure

tuo4n8 (https://vsrc.vng.com.vn) - Remote Code Execution (RCE)

Amjad Ali (https://www.linkedin.com/in/amjadali110) - Clickjacking

Abhijeet Ingle (https://twitter.com/_arag0n) - Information Disclosure

Akash Patil (https://www.linkedin.com/in/akash-patil-679a921b9) - Information Disclosure

Felipe Gabriel Renzi (https://www.linkedin.com/in/felipe-gabriel-renzi) - Information Disclosure, Cross-site scripting (XSS)

Marek Mikita (https://twitter.com/spyx_myky, https://www.linkedin.com/in/marek-mikita-7849451b6/) - Information Disclosure, Open Redirect, Cross-site scripting (XSS)

foysal1197 (twitter.com/foysal1197) - Open Redirect, Cross-site scripting (XSS), Information Disclosure

Fatih Gurel (https://www.linkedin.com/in/fatihgurel/) - Cross-site scripting (XSS)

Muhammet Gedik (https://www.linkedin.com/in/muhammet-gedik-a95889167/) - Cross-site scripting (XSS), Open Redirect

Bhuwam Dixit (https://www.linkedin.com/in/bhuwamdixit) - Information Disclosure, Default login

Devansh Chauhan (https://www.linkedin.com/in/devansh-chauhan-b36b6a1b1) - Information Disclosure

Ľuboš Gulaň (https://twitter.com/lulu_sec1) -  Cross-site scripting (XSS), Text Injection, Information Disclosure, Open Redirect, Cross-site request forgery (CSRF), Broken Access Control

Akshay Bhorde (https://www.linkedin.com/in/akshay-bhorde-81665620b/) -  Security misconfiguration 

Vinit Lakra (https://www.linkedin.com/in/vinithacker/) -  Security misconfiguration 

hoseinroot (https://twitter.com/hoseinroot/) -  Information Disclosure

Akshay Bhorde (https://www.linkedin.com/in/akshay-bhorde-81665620b/) -  Information Disclosure

Leonid Krolle (https://twitter.com/KrolleLeonid) -  Remote Code Execution (RCE)

Milivoj Rajic (https://www.linkedin.com/in/milivoj-r-8b925bb5) -  Broken Access Control

JosefM -  Missing rate limit

Mohamed Siddig (@WDSiddig403) - Broken Authentication, Cross-Site scripting (XSS)

Gaurang Maheta (https://in.linkedin.com/in/gaurang883) - Information Disclosure, Server-side request forgery (SSRF), Remote Code Execution (RCE)

Battal Faik Aktaş (https://twitter.com/BattalFaikAktas) - Remote Code Execution (RCE), Server-side request forgery (SSRF), Cross-site scripting (XSS)

Ishu (Ritik) Jangra (https://www.linkedin.com/in/ishuhacker) - Prototype Pollution

Nitin Yadav - Prototype Pollution

cyberyaan-training-consultancy (https://www.cyberyaan.com/) - Remote Code Execution (RCE), Broken Access Control

Raafeh Ur Rehman - Clickjacking

Keyur Maheta (https://www.linkedin.com/in/keyur-maheta-342720256) - Information Disclosure,  Other, Server-side request forgery (SSRF)

Awab Abdalmotaleb (https://www.linkedin.com/in/awab-abdalmotaleb-53b408334/) - Information Disclosure