openPetition is committed to continuous security improvement. We collaborate transparently with the ethical and responsible cybersecurity community. If you find an important bug, report it to us and we reward you!
Policy
The following guidelines give you an idea of what we usually pay out for different classes of security issues. Low-quality issues reporting may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue and step-by-step instructions including how to reproduce your issue.
Rules for reporting
- Report a qualifying vulnerability that is in the scope of our program.
- Be the first person to report the vulnerability on any of the domains in scope.
- Be reasonable with automated scanning methods so as to not degrade services.
- Refrain from disclosing the vulnerability until we’ve addressed it.
- Never try to gain access to a real user’s account or data.
- You must not leak, manipulate, or destroy any user data.
- Do not impact users with your testing.
- Do not make issues public before submitting them to us and before it is resolved
Blocked POST requeste
We require that you prevent POST requests to the following URL patterns (blocklist):
- /ajax/argument/{slug}
- /eingang/gesendet/{slug}
- /petition/kontakt/{slug}
- /petition/uebersetzen/{slug}
- /petition/widget/{slug}/.+
- /petition/[^/]+/{slug}/unterschreiben
- /petition/[^/]+/{slug}/unterschreiben/.+
- /widget/anmelden/{slug}
You can convert this to a blocklist (of regular expressions) by replacing {slug} with [^/]+, and add exceptions as a whitelist by replacing {slug} with bug-bounty-playground, which is a petition where you can test those routes on the blocklist. Please ensure, that you won’t „accidentally“ send POST requests to blocklisted endpoints.
If you send and continue to send POST requests to endpoints on the blocklist (those not explicitly whitelisted), we eventually may block your IP, and classify you as a malicious attacker and treat you as such.
Domains in scope
- www.openpetition.de
- www.openpetition.org
- www.openpetition.eu
Out of scope
- Vulnerabilities requiring physical access to the victim’s unlocked device
- Denial of Service attacks
- Brute Force attacks
- Spam or Social Engineering techniques
- Content Spoofing
- Best practices concerns
- Issues relating to Password Policy
- Issues relating to token lifetime
- User enumeration
- Full-Path Disclosure on any property
- CSRF-able actions that do not require authentication (or a session) to exploit
- Reports related to missing security headers
- CSV Injection
- Reverse Tabnabbing
- Bugs that do not represent any security risk
- Vulnerabilities that are limited to unsupported browsers
- Missing DNS records
- Cross Domain Policies
Levels of severity
- Critical: Remote code execution, root access, critical data breaches of personal data
- High: SQL injections, significant authentication bypasses, account takeover, Cryptographic Failures
- Medium: non-personal data exposures, Server-side request forgery (SSRF)
- Low: cross-site scripting (XSS), Cross-site request forgery (CSRF), Insecure direct object reference (IDOR)
Rewards
Reward payout requires a PayPal account and an invoice with issuer name and address. Issuer identity is kept confidential and protected from legal action.
- Critical: 2.000 EURO
- High: 500 EURO
- Medium: 100 EURO
- Low: 50 EURO
How to report?
Please send all security reports to bugs@openpetition.net