Reward
Program
Hacktivity
05.11.2024 Update :
We are happy to inform you that the scope has been updated for this program. Enjoy testing the new subdomains of *.post.ch!
ABOUT THE PROGRAM
Swiss Post - the world’s best postal service - stands for secure and trustworthy conveyance of information.
In order to meet the highest quality standards, we are constantly mitigating security issues on multiple levels.
We are open to your vulnerability reports, and we will pay out a fair reward for confirmed and in-scope vulnerabilities.
Our aim is to continuously include more scopes of Swiss Post into this program. But we also reserve the right to terminate this program at any time.
PROGRAM RULES
Participants are permitted to perform any tests and investigations on the systems, as long as they act in good faith and respect the scope and rules described below.
GENERAL RULES
Please read the following rules carefully, especially the information regarding the scopes of this program and the corresponding reporting requirements.
Please do not interfere with other hunters’ work when searching for vulnerabilities.
If the definition of the scope prevents you from exploiting other server-side vulnerabilities, this will be taken into consideration when calculating the compensation (e.g. you successfully pwn a server and are ready for lateral movement, but you do not exploit surrounding systems because they are out of scope).
ELIGIBILITY AND RESPONSIBLE DISCLOSURE
We would like to thank everyone who submits valid reports that help us improve the security of Swiss Post’s IT system. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below).
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com.
- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code where necessary (see the reporting requirements for the corresponding scope).
- You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit your requests per second). If you over do it, your IP address might be throttled or even (temporarily) blocked to protect our infrastructure.
Reports on vulnerabilities are examined by our security analysts - our analysis is always based on worst case exploitation & the business criticality of the vulnerability, as is the reward we pay.
LEGAL SAFE HARBOR - CONSEQUENCES OF COMPLYING WITH THESE PROGRAM RULES
- The Swiss Criminal Code classifies any type of hacking as a crime. This section ensures that, security researchers are safe from any prosecution when they act in good faith.
- Swiss Post will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good faith violations of the program rules.
- Swiss Post interprets activities by participants that comply with the program rules as authorized access under the Swiss Criminal Code. This includes Swiss Criminal Code Articles 143, 143bis and 144bis.
- Swiss Post will not file a complaint against participants of this program for trying to circumvent the security measures deployed in order to protect the services in scope as outlined below.
- If legal action is initiated by a third party against a participant, and the participant has complied with the program rules as outlined in this document, YesWeHack and Swiss Post will take the necessary measures to inform the authorities that such participant’s actions have been conducted in compliance with this policy.
- Any non-compliance with the program rules may result in exclusion from the bug bounty program.
- For minor breaches, a warning may be issued. For severe breaches, Swiss Post reserves the right to file criminal charges.
SCOPE
The scope of this bug bounty program includes the following apps, web apps and URIs, as well all subdomains of *.post.ch within the net AS12511 and IP Range 194.41.128.0/17.
Login & Registration
Here you can create your account for the "Swiss Post Customer Login" and login to the digital world of Swiss Post. Please note that the alternative login with SwissID (https://login.swissid.ch) is out of scope.
Postshop
This is the official online shop of Swiss Post.
My Consignments
Here you can manage your shipments and organize your preferred delivery options.
Address maintenance
This online service provides all Swiss Post services for your addresses on a single platform – from verifying to updating and address management.
Recipient Services
This service gives you access to different recipient services of Swiss Post.
PostApp
The Post-App offers useful support and practical information on Swiss Post services
Billing Online
Billing Online is our payment service that is used within many of our online services.
Two additional use cases that you can acces through your wallet (https://account.post.ch/selfadmin/payment/) are loading your wallet and changing your credit card details.
There are no test credit cards for our productive environments. We suggest using your own credit cards.
For more information, please have a look at the integration guidelines.
Please note that some of the applications may contain links or redirect you out of the URIs described here. This means you are leaving the scope if you follow these links / redirects.
*.post.ch
For anything else that has not yet been mentioned so far, we consider all subdomains of *.post.ch within the net AS12511 and IP Range 194.41.128.0/17 as in scope.
Please make sure to only check vulnerabilities concerning the ports 80 and 443.
| Host | Port | IP range | is a valid report |
|---|---|---|---|
| *.post.ch | 80 or 443 | 194.41.128.0/17 (194.41.128.1 - 194.41.255.254) |
✅ |
| *.post.ch | 80 or 443 | other than 194.41.128.0/17 (194.41.128.1 - 194.41.255.254) |
❌ |
| *.post.ch | other than 80 or 443 | 194.41.128.0/17 (194.41.128.1 - 194.41.255.254) |
❌ |
| other than *.post.ch | 80 or 443 | 194.41.128.0/17 (194.41.128.1 - 194.41.255.254) |
❌ |
Any reports outside of the defined scope or range of this program will not be accepted/rewarded.
You can however report any findings outside of this scope within our VDP.
Subdomain Takeover
At the very core of any organization's web infrastructure lays DNS.
Although this program’s scope is limited, we are appreciative of any help provided on this specific topic.
For the *.post.ch domain we are accepting subdomain takeover reports with a fixed reward of 1000€.
To be eligible, the subdomain takeover must be demonstrated, ideally with the MD5 of your username in a TXT file (i.e. md5(hunter_name).txt) hosted on the vulnerable FQDN.
We won’t qualify hypothetical takeovers nor simple DNS dangling reports.
Reports of leaks and exposed credentials
In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
To summarize our policy, you may refer to this table :
| Type of leak | Source of leak is in-scope | Source of leak belongs to Swiss Post but is out-of-scope | Source of leak does not belong to Swiss Post and is out-of-scope |
|---|---|---|---|
| Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Eligible | Not eligible |
| Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not eligible | Not eligible |
This excludes, but is not limited to:
- Stolen credentials gathered from unidentified sources
- Exposed credentials that are not applicable on the program’s scope
- Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
- Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
- Exposed PII on an out-of-scope asset
Important precautions and limitations
As a complement to the Program’s rules and testing policy :
- DO NOT alter compromised accounts by creating, deleting or modifying any data
- DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
- In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
- In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describing and listing what is exposed.
Peculiarities
- We reserve the right to use a "OneFixOneReward" rule, i.e., if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the ensuing flaws, only one report will be considered as eligible for a reward and other reports will be closed as informative. However, all reports will be reviewed thoroughly.
- We reserve the right to consider findings previously reported in the now disabled Swiss Post - "*.post.ch" private program as duplicates due to its legacy.
GL;HF
Happy Hunting!
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| €1,000 | €3,000 | €5,000 | €10,000 | |
| €300 | €1,500 | €3,000 | €5,000 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
| (*.post.ch:80|*.post.ch:443) AND 194.41.128.0/17 | other | ||
Low Medium High Critical | |||
| https://account.post.ch | web-application | ||
Low Medium High Critical | |||
| https://shop.post.ch/shop | web-application | ||
Low Medium High Critical | |||
| https://service.post.ch/ekp-web/ | web-application | ||
Low Medium High Critical | |||
| https://service.post.ch/zopa/app/ | web-application | ||
Low Medium High Critical | |||
| https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US | mobile-application-android | ||
Low Medium High Critical | |||
| https://apps.apple.com/ch/app/die-post/id378676700 | mobile-application-ios | ||
Low Medium High Critical | |||
| https://billingonline.post.ch/OnlinePayment/Web/v1/BOI | web-application | ||
Low Medium High Critical | |||
| https://service.post.ch/ele-klp/ele/ | web-application | ||
Low Medium High Critical | |||
Out of scopes
- Anything that has not been described as in scope in the previous section is automatically out of scope.
- Attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes DNS, NTP, routers, systems of the ISP, etc.).
- The alternative login (https://login.swissid.ch) is out of scope. It also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope.
- Any services related to Incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58))
- Please note that some of the applications may contain links or redirect you away from the URIs described in the scope section. This means you are leaving the scope if you follow these links / redirects.
Vulnerability types
Qualifying vulnerabilities
- Remote code execution (RCE)
- Business Logic Errors vulnerability with real security impact
- Local file access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Code injections (HTML, JS, SQL, PHP, etc.)
- Cross-Site Scripting (XSS)
- Open redirects
- Broken authentication and session management
- Insecure direct object references
- CORS with real security impact
- Horizontal and vertical privilege escalation
- Cross-Site Requests Forgery (CSRF) with real security impact
- Leaked information from mobile (without rooting)
- Sensitive Information Exposure Through insecure data storage on mobile device
- Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes
Non-qualifying vulnerabilities
- All attacks that fall under the broad denial of service and resource starvation categories
- Social engineering attacks on operators or employees of Swiss Post, its subsidiaries, customers and contract partners such as YesWeHack.
- Physical attacks on people, buildings and devices.
- "Self" XSS or XSS that cannot be used to impact other users
- Lack of rate-limiting, brute-forcing or captcha issues
- User enumeration (email, alias, GUID, phone number)
- Tabnabbing
- Missing cookie flags
- Denial of Service attacks
- Missing "HTTP Host Header" XSS
- Clickjacking/UI redressing
- Disclosed / misconfigured Google API key (including Google Maps)
- Issues that require MITM or physical access
- Ability to spam users (email / SMS / direct messages flooding)
- Password requirements policies (length / complexity / reuse)
- Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
- Recently disclosed 0-day vulnerabilities (less than 30 days since patch release)
- Disclosure of information without direct security impact (e.g., stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
- Presence of autocomplete attribute on web forms
- Missing security-related HTTP headers that do not lead directly to a vulnerability
- Issues that require physical access to a victim’s computer/device
- Logout and other instances of low-severity Cross-Site Request Forgery
- Reports from automated web vulnerability scanners (ZAP, Burp, Acunetix, Vega, etc.) that have not been validated manually.
- Invalid or missing Sender Policy Framework (SPF) records (incomplete or missing SPF/DKIM/DMARC)
- Vulnerabilities affecting outdated browsers or platforms
- Any hypothetical flaws or best practices without exploitable POC (unless it is explicitly listed as in-scope)
- HTTP Strict Transport Security Header (HSTS)
- Vulnerabilities requiring physical access to a user’s smartphone
- Exploits that are only possible on Android version 7 and below
- Exploits that are only possible on IOS version 10 and below
- Exploits that are only possible on a jailbroken device
- Lack of code obfuscation
- Lack of binary protection / jailbreak and root detection / anti-debugging controls
- Crashing your own application
- Non important secrets (such as 3rd party secrets)
- SSL cypher suites (mobile app scopes)
- Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
- SSL Pinning bypass
- Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
- Expired certificate, best practices and other related issues for TLS/SSL certificates
- Content/Text/CSV injections
- Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
- Subdomain takeover without a full working PoC
- Exposed login panels
- Presence of XMLRPC
- GraphQL introspection is enabled
- Broken links and unclaimed social media account
- EXIF / metadata are not cleaned on uploaded documents
- WordPress WP-JSON is enabled (listings of users and other….)
- Cache poisoning (unless one can demonstrate the exploitation of a qualifying vulnerability, e.g. Stored XSS, through it)
Hunting requirements
Account access
You can self-register for most of our scope at https://account.post.ch
Please activate your YesWeHack e-mail alias and use it as your e-mail address for registration – thanks!
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
