Webpodium.nl
Online podium voor Nederlandse orkesten
Concertagenda Orkesten Podia Zoeken

Bug Bounty Program

Publication Date: March 11th, 2022

Announcement: the bounty program is temporarily suspended as of October 2023.

About the Bug Bounty Program

Ethical hackers help making the internet a safer place. Webpodium.nl wants to support this by rewarding the report of vulnerabilities. This program states which vulnerabilities are rewarded. The height of the reward depends on the risk. A vulnerability with little impact and a low chance to occur will not be rewarded with money, but there will be an effort to fix the issue (though it might turn out infeasible to fix). The higher the risk (impact x chance), the higher the reward.

Reward levels

There are 9 reward levels, from low risk (1) to high risk (9):

  1. Vulnerabilities that pollute the website, but don't disrupt functionalities.
    Examples: posting spam forum messages, filling forms with nonsense data.
  2. Vulnerabilities that pollute the website, and thereby disrupt functionalities.
    Examples: posting forms with values that result in a page breakdown (i.e. an error message that prevent the page from loading). Race conditions as they don't corrupt website data.
  3. Vulnerabilities with client-side effects, low risk.
    Examples: missing HSTS header, clickjacking, broken links to external sites (which can be revived by an attacker), sending emails on behalf of Webpodium.nl
  4. Vulnerabilities with client-side effects, high risk.
    Examples: XSS with client-side script execution (i.e. javascript)
  5. Vulnerabilities with server-side (stateless) effects, low risk.
    Examples: race conditions as they corrupt website data.
  6. Vulnerabilities with server-side (stateless) effects, high risk.
    Examples: XSS with server-side script execution
  7. Vulnerabilities with server-side (with state) effects, low risk.
    Examples: same site scripting.
  8. Vulnerabilities with server-side (with state) effects, high risk.
    Examples: SQL-injection, XSS with (database) storage and server-side script execution (demonstrated by placing a new file on the server, or creating a new table in the database).
  9. Vulnerabilities leading to elevated rights (explicitly demonstrated in a report, not just reporting a chance).
    Examples: full control access (through FTP or site CMS).

Reward heights

Rewards might depend on the actual situation, but will be in the following range:

  1. rewarded through developers' effort to fix this (not urgent)
  2. rewarded through developers' effort to fix this (urgent)
  3. rewarded through developers' effort to fix this (not urgent)
  4. EUR 10
  5. EUR 10
  6. EUR 25
  7. EUR 10
  8. EUR 50
  9. EUR 100

Reward grants

A reward is granted when it has been reported in detail to the Contact email address (see below). A report must include a decription of the vulnerabitity, an explanation of the risk, and a description of how to reproduce the vulnerabitity. The classification in above mentioned levels is done by the website owner.