At easybell, we are well aware that not everything can always be error-free - which is why we support security researchers and white hat hackers with our bug bounty program.

This means that anyone who reports vulnerabilities or security holes found in the easybell system to us will be rewarded.

You feel addressed, have already discovered a vulnerability with us and would like to have your knowledge duly rewarded? Then it is important to observe the following guidelines:

Which domains, subdomains and apps are relevant?

The following sites are particularly important to us:

  • easybell.de
  • easybell.com
  • login.easybell.de
  • cta.easybell.de
  • teams-trunk-frontend.easybell.de
  • order-form.easybell.de
  • partner.easybell.de
  • *.easybell.de
    • excluding test and development pages
  • VoIP to go App iOS
  • VoIP to go App Android

We are happy to accept reports for other sites, but they are not part of this program.

Out of scope, unless mentioned above, are:

  • IPs registered to easybell
  • Sites with an easybell certificate
  • Sites that only contain the word "easybell"

Responsible Disclosure

To be eligible for a reward, please follow the reporting process below:

  • We need sufficient time to reply to your email and fix the vulnerabilities.
  • The vulnerability must not be disclosed to anyone until it is fixed.
  • Please provide us with information on how to verify and reproduce the vulnerability ­– preferably a proof-of-concept script!
  • Please mention the IP you tested from – this helps us better understand the vulnerability.
  • Only one vulnerability per report please! For new vulnerabilities, start a new email thread.


In return we offer:

  • A quick response to your report (an acknowledgement of receipt) comes immediately and usually a report is answered within two business days.
  • We guarantee not to take any legal action against you.
  • We close the found vulnerability as quickly as possible.
  • After we have confirmed and resolved the vulnerability, you will be paid a reward.

Identify security flaws and vulnerabilities

It is particularly important to us to protect the data of our customers. Security gaps that expose this data are of particular importance. A security gap or vulnerability is anything that meets at least one of the following requirements:

  • Unauthorized code is executed.
  • Sensitive information is disclosed (e.g., passwords).
  • The integrity of systems is compromised.
  • User data is disclosed.
  • User data is modified.
  • Unauthorized access to sensitive data or resources is enabled.
  • Privileges are elevated.
  • Users' systems may be damaged.


In addition, the vulnerabilities must:

  • actually be exploitable (please do not report theoretical security gaps!);
  • be exploitable from the Internet.


Please make sure:

  • that our infrastructure is not affected – no brute force attacks, DOS, DDOS, or scanners with more than one request per second (1 req/s)!
  • The privacy of our users has the highest priority: sensitive data must not be changed, deleted, downloaded or published. If you suspect that sensitive data can be accessed, please contact us and we will provide a test account.


The following vulnerability categories are excluded from the program:

  • social engineering, spam, phishing, etc.
  • physical attacks (e.g., burglary)
  • DDOS-attacks and attacks requiring a large volume of data 
  • vulnerabilities and 0-days in third party software or websites not owned by easybell GmbH
  • clickjacking attacks
  • DNS misconfigurations, like for example non-restrictive SPF records
  • missing best practices in headers, SSL/TLS, DNS
  • vulnerabilities and backdoors caused by malware
  • POST-based reflected XSS, CSRF login/logout
  • user enumeration or insufficient password complexity
  • direct IP access
  • missing or insufficient rate limiting
  • vulnerabilities that can only be exploited if another account of the customer, for example their email address, is compromised

Your reward

To be eligible for the reward:

  • Make sure you meet the criteria we have listed under "Responsible Disclosure" and "Identify security flaws and vulnerabilities"!
  • Your report is the first vulnerability report.
  • You are not an employee of easybell GmbH, a supplier or a contractual partner.
  • You must write an invoice to easybell GmbH for the reward.
  • The reward is based on the severity of the security gap, the effort to find it and the quality of the report. This is determined by us at our own discretion. We orientate ourselves on the CVSS 3.1 Base Score
Gap severity Low Middle High Critical
Reward in € up to 100 100-500 500-1000 1000+

And this is how you report a gap

If you have found a security gap or vulnerability, please email us at bugbounty@easybell.de. You can also send questions or comments about the bug bounty program here.

 

Thank you very much!

Created on: 31. May 2023