Vulnerability Disclosure Policy (VDP)
Introduction
Bug Bounty Switzerland acknowledges the valuable role of independent security researchers acting in good faith to help maintain the safety and security of our and our customers’ data and the reliability of our products and services. We therefore welcome responsible reporting of any vulnerabilities identified in digital assets owned, operated or maintained by us.
This policy outlines the steps for reporting vulnerabilities to us. Please review the policy carefully before you test and/or report a vulnerability. We are committed to collaborate with security researchers to verify and address any potential vulnerabilities that will be reported.
Scope
Any public-facing digital asset owned, operated, or maintained by Bug Bounty Switzerland.
Out of Scope
Please note that we use services from other companies for some parts of our systems and infrastructure. Vulnerabilities discovered or suspected in those systems should be reported to the appropriate vendor or applicable authority.
Our Commitment
When working with us, according to this policy, you can expect us to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Work with you to understand and validate your report
- An open dialog to discuss issues
- Work to remediate discovered vulnerabilities in a timely manner
- Provide an estimated time frame for addressing the vulnerability report
- Strive to keep you informed about the progress of a vulnerability as it is processed
- Notify you when the vulnerability has been fixed
- Recognise your contribution if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
- Provide a legal Safe Harbor for your vulnerability research that is related to this policy
Our Expectations
In participating in our vulnerability disclosure program, we ask you to:
- Play by the rules and instructions described in this policy
- Don’t breach any applicable laws in connection with your report and your interaction with us
- Report any vulnerability you’ve discovered promptly
- Don’t exploit or use in any manner the discovered vulnerabilities other than for the purposes of reporting to us
- Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience
- Use only the official disclosure channels to discuss vulnerability information with us
- Ensure the confidentiality of details of any discovered vulnerabilities according to this policy
- If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; cease testing and submit a report immediately
- You should only interact with test accounts you own or with explicit permission from the account holder
- Do not engage in extortion
- Provide us a reasonable amount of time (90 days from the initial report) to resolve the issue
- Coordinate with us before disclosing vulnerabilities publicly
Bug Bounty Switzerland does not permit the following types of security research:
While we encourage you to report to us any vulnerabilities you find, the following conduct however is prohibited:
- Performing actions that may negatively affect our systems or our customers (e.g. phishing, spam, brute force, denial of service, etc.)
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on our personnel, property, buildings or infrastructure
- Social engineering our employees, customers or contractors
Coordinated Vulnerability Disclosure (CVD)
We value the effort of external security researchers who identify security vulnerabilities and disclose those vulnerabilities responsibly so that they can be fixed. Our policy is to allow publication, provided the following conditions are met (Coordinated Vulnerability Disclosure):
- The reporting individual does not publish the vulnerability prior to us confirming a fix has been released and that it is acceptable to publish
- They do not publish exact details of the issue, for example, exploits or Proof-of-Concept code
Official Channels
Please report security issues via https://app.bugbounty.ch/public/engagement/details/de64822a-60a2-45be-96ba-cd24a48bca24, providing all relevant information. Do not submit reports from automated tools without verifying them. The more of the following details you provide, the easier it will be for us to triage and fix the issue:
- Technical description of the vulnerability, including:
- Browser information (type and version) used
- Relevant information about connected components and devices
- Impacted platform(s) URL(s)
- Sample code to demonstrate the vulnerability and/or detailed steps to reproduce
- Threat/risk assessment
- Date and time of discovery
- Contact information
- Possible disclosure plans
Please note that this channel is for reporting undisclosed security vulnerabilities only and must not be used for any other support or information requests. Inquiries sent there that do not relate to undisclosed security vulnerabilities will not receive any response.
Legal Safe Harbor
- We will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good faith violations of this policy
- We interpret activities by participants that comply with the policy as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis and 144bis.
- We will not file a complaint against participants for trying to circumvent the security measures deployed in order to protect the services in-scope for this policy.
- If legal action is initiated by a third party against a participant and the participant has complied with the policy as outlined in this document, we will take the necessary measures to make it known to the authorities that such participant’s actions have been conducted in compliance with this policy.
- For minor breaches, a warning may be issued. For severe breaches, we reserve the right to file criminal charges.
You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before you continue your research.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.