Dotlab bounty page

The following operations are prohibited and we will not respond to reports when these methods are used.

• Using automated tools for huge scans – tests performed for the purpose of security research can’t have a negative impact on our infrastructure and websites. This kind of test might be treated as a DOS attack and we may take actions to block this type of traffic and prevent the situation from recurring.
• Sharing information about vulnerabilities with people not authorized by Dotlab.
• Performing actions that may negatively affect Dotlab or websites developed by Dotlab (e.g. SPAM).
• Any form of physical attack on IT infrastructure and/or corporate personnel.
• Social engineering – i.e. phishing, vishing, smishing on any of the websites.
• Exfiltrating data – tests should be performed on the minimum amount of data needed to confirm the vulnerability.
• Violating any applicable laws or violating applicable agreements to discover vulnerabilities.

• Vulnerabilities affecting users of outdated or unsupported browsers or platforms
• Cross-site scripting bugs that require an unbelievable amount of user interaction
• Cross-site request forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Missing (RE)CAPTCHA
• Password complexity or account recovery policy
• HTTPS mixed content
• Issues with no clearly identified security impact
• Global Security Headers
• Invalid or missing SPF, DKIM, DMARC records
• Weak SSL/TLS cipher suites
• Sending vulnerability reports using automated tools without validation
• Using a known-vulnerable library with no evidence of abuse
• Attacks that require physical access to an unlocked user device
• Reports of SPAM, phishing or security best practices
• Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors)
• Missing cookie flags on non-sensitive cookies
• Users with superuser privileges who post JavaScript at random (e.g. via the Tag Manager module)
• Path disclosure
• Vulnerabilities already known and reported by other security researchers

Please contact us via the form at the bottom of this page. bounty@dotlab.nl with a description of the steps required to reproduce the problem.

Provide a detailed summary of the vulnerability, including:

• Type of issue
• Date and time when the bug was detected
• Product, version and configuration of software or asset containing the bug
• Step-by-step instructions to reproduce the issue (proof of concept)
• Website/URL of the websites where the vulnerability was found
• Impact of the issue
• Suggested mitigation or remediation actions
• PayPal account for transferring the bounty amount

Remark: When a security issue is already reported the bounty will be assigned to the person who reported it first. All reports of the same issue after the first report will have no bounty attached

Rewards are based on the severity of the bug. Below are examples of issues that qualify for each severity level type.

Critical: $120
Example issues that qualify as critical:

• Remote Code Execution.
• Privilege escalation.

High: $80
Example issues that qualify as high:

• SQL injection.
• CSRF.
• XSS without user interaction.
• Customer data disclosure.

Medium: $40
Example problem that qualifies as a medium:

• XSS with user interaction.
• Sending spam using the forms on the website.

Low: $0

• We do not pay a bounty for minor problems.

Bounties are paid via PayPal. Severity can be calculated using the CVSS (base score) calculator. More information can be found here . All bounties are paid within 5 working days from the moment a response is sent about the reported vulnerability.