At easybell, we are well aware that not everything can always be error-free - which is why we support security researchers and white hat hackers with our bug bounty programme.
This means that anyone who reports vulnerabilities or security holes found in the easybell system to us will be rewarded.
You feel addressed, have already discovered a vulnerability with us and would like to have your knowledge duly rewarded? Then it is important to observe the following guidelines:
The following sites are particularly important to us:
- excluding test and development pages
- VoIP to go App iOS
- VoIP to go App Android
We are happy to accept reports for other sites, but they are not part of this programme.
To be eligible for a reward, please follow the reporting process below:
- We need sufficient time to reply to your email and fix the vulnerabilities.
- The vulnerability must not be disclosed to anyone until it is fixed.
- Please provide us with information on how to verify and reproduce the vulnerability - preferably a proof of concept script!
- Only one vulnerability per report please! For new vulnerabilities, start a new email thread.
In return we offer:
- A quick response to your report (an acknowledgement of receipt) comes immediately and usually a report is answered within 48 hours.
- We guarantee not to take any legal action against you.
- We close the found vulnerability as quickly as possible.
- After we have confirmed the vulnerability, you will be paid a reward.
It is particularly important to us to protect the data of our customers. Security gaps that expose this data are of particular importance. A security gap or vulnerability is anything that meets at least one of the following requirements:
- Unauthorised code is executed.
- Sensitive information is disclosed (e.g. passwords).
- The integrity of systems is compromised.
- User data is disclosed.
- User data is modified.
- Unauthorised access to sensitive data or resources is enabled.
- Privileges are elevated.
- Users' systems may be damaged.
In addition, the vulnerabilities must be:
- actually be exploitable (please do not report theoretical security gaps!);
- be exploitable from the Internet.
Please make sure:
- that our infrastructure is not affected - no brute force attacks or aggressive scanners!
- The privacy of our users has the highest priority: sensitive data must not be changed, deleted, downloaded or published. If you suspect that sensitive data can be accessed, please contact us and we will provide a test account.
The following vulnerability categories are excluded from the programme:
- social engineering, spam, phishing, etc.
- physical attacks, e.g. burglary
- DDOS attacks and attacks requiring a high volume of data
- vulnerabilities in third-party software or websites that do not belong to easybell GmbH
- 0-Day vulnerabilities in software not developed by us for which a patch is not yet available or for which we have not yet had sufficient time to close the vulnerabilities
- clickjacking attacks
- DNS misconfigurations, e.g. non-restrictive SPF records
- missing best practices in headers, SSL/TLS, DNS
- vulnerabilities caused by malware
- POST-based reflected XSS
- CSRF login/logout
- insufficient password complexity
- user enumeration
So that we pay you a reward:
- Make sure you meet the criteria we have listed under "Responsible Disclosure" and "Identify security flaws and vulnerabilities"!
- Your report is the first vulnerability report.
- You are not an employee of easybell GmbH, a supplier or a contractual partner.
- You must write an invoice to easybell GmbH for the reward.
- The reward is based on the severity of the security gap, the effort to find it and the quality of the report. This is determined by us at our own discretion. We orientate ourselves on the CVSS 3.1 Base Score.