Bug Bounty Program

Introduction

Security researchers play an integral role to discover vulnerabilities which were missed in our software development process. We strongly believe that close partnerships with security researchers make customers more secure. A planned and coordinated vulnerability disclosure is the foundation how we act and ask researchers to interact with us. We design the easyname Bug Bounty Program to support the goals of protecting our customers and broader easyname ecosystem. We highly respect the expertise, time and cooperation of security researchers in order to support us in reaching these goals. Therefore, we reward security researchers by cash for submitting findings to our eligible bounty programs. If a vulnerability is fixed, we will publicly announce it in our regular release cycle and acknowledge your contribution towards a better protection.

Submissions for findings can be made under: bugbounty[AT]easyname.com

Submissions

Submissions that contain well written descriptions, impacts, and come with steps to reproduce your proof of concept code will be eligible for higher payouts rather than stack dumps or submissions without clear impact. We ask you kindly to stick on the following submission procedure.

  • If you find a vulnerability, please report it to us privately using the mail address: bugbounty[AT]easyname.com.
  • Work with us until we have found a solution. We will do our best to be as quick as possible to respond to your submission and implement a fix.
  • In recognition of this partnership we award bounty payments.
  • If we have determined that your Submission is eligible for a Bounty under the applicable terms of this document, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Bounty.
  • Submissions must contain: Type of issue, affected service, step by step instruction to reproduce the issue, impact of the issue

Rules of the Program / Code of conduct

As soon as you submit a vulnerability, you agree to the following rules:

  • Privacy of Customer’s data: Some security research may occur on production services that our customers are using as well. We expect researchers to take care and avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. If you discover customer data while researching stop immediately and contact us.
  • Availability of Production System: Our hosting services are operating in a production environment where customers are actively using and depending on them. Research that impedes availability, including but not limited to denial of service or heavy resource utilization, is prohibited.
  • No automated tool tests: Usually, security tools produce a lot of information. They are used by our team as well. We ask four your understanding that we will not reward basic results from well-known security tools, esp. scanners.
  • No social engineering and physical attacks: We will not accept any submission which require manipulation of data or network infrastructure and/or physical attack against physical entities (like our office or datacentre) and/or social engineering of employees, contractors or customer.
  • Remote Execution: In case of remote code execution vulnerabilities we will not accept submissions when the following actions were carried out:
    • - Deleting files
    • - Jail-breaks
    • - Interrupting normal operations (e.g. triggering a reboot)
    • - Creating / maintaining persistent connections to the affected systems
    • - Uploading files that allow arbitrary command (e.g. webshells)
  • Out of Scope vulnerabilities:
    • - Expose of non-sensitive data
    • - Vulnerabilities of third party libraries without showing specific impact (e.g. CVE with no exploit)
    • - Vulnerabilities requiring a jail-break or highly modified devices
  • Stay legal: Don’t do anything illegal. Don’t engage in any activities to harm others. Don’t violate the rights of others and don’t help others to break the rules.
  • Identity: We see security researchers as our partners. In order to be able to pay you, we need your identity. Please be open to us.
  • Eligibility: In order to gain reward, you must fulfil all of the following conditions:
    • - You must be at least 18years old. In case you are younger, you will have to obtain your parent’s or legal guardian’s permission prior to participating.
    • - You are either an individual researcher or you work for an organization which allows you to participate.
    • - You aren’t a current employee of easyname or another subsidiary of our holding.
    • - You weren’t an employee of easyname or another subsidiary of our holding within the last 6 months.
    • - The vulnerability can be exploited without access to the easyname corporate network being used by employees and/or vendors.

If you violate these rules, you may be prohibited from the program and submissions you have provided may be deemed to be ineligible for payments.

Rewards

In case of vulnerability findings we will reward the following Bounties. Please be aware that the reward will be subject to the potential impact and the detail level of description.

Scope

  • Controlpanel (my.easyname.com): up to 10.000 EUR
  • Webseite (www.easyname.com): up to 2.500 EUR
  • Produktplattformen (e.g. Webhosting oder Mail): up to 7.500 EUR
  • Webmail (webmail.easyname.com): up to 7.500 EUR

Please contact us for plans in case of specific attack scenarios.

Feedback on the article: