Please do not submit any bug reports if you don't accept these rules.
General requirements
- report to bugs@komfortkasse.eu or via Open Bug Bounty
- attach code and screenshots/screencast
- financial reward only if bug has not been previously reported
- blackmailing or threatening to publish bugs leads to immediate exclusion of bug bounty program
- if testing can affect server stability, contact bugs@komfortkasse.eu to receive a dedicated server URL
- using security scanners might blacklist your IP automatically, contact us to get removed from blacklist
- if registering or filling out forms, please use name "BugBounty" in fields
No rewards for:
- Self-XSS
- comments regarding SSL certificates (e.g. expiring soon)
- HSTS, HSTS Preload (some subsites have to be available via http for legacy reasons)
- bugs in third party software (e.g. Joomla, Freshdesk, Tawk)
The following actions will result in immediate and permanent exclusion from the program and suspension of all payouts:
- abusive language
- threatening to publish vulnerabilities
- AI generated or fake reports
- requests that have not been performed against our server
URLs
- komfortkasse.eu: no rewards (bug bounty program paused as the site is currently undergoing technical upgrades)
- ssl.komfortkasse.eu: rewards for all types of vulnerabilities (except exclusions above)
- no rewards for other URLs
Reward amounts
- Security recommendation, best practice (no real-world vulnerability): 10 USD
- Minor bug (e.g. reflected xss, all errors affecting solely the exploiter's own account.): 20 USD
- Medium vulnerability (e.g. stored xss, csrf, brute force vulnerability): 50 USD
- Major flaw (e.g. account takeover, remote code execution): 100 USD
For payout, we need:
- your preferred payout method (e.g. PayPal, SEPA transfer), currency, and payout details (e.g. PayPal address, IBAN)
- your full name, full street address, country (needed for accounting)
- if inside EU: your VAT ID
Currently, reward payouts to Russia or Belarus are not possible.