avatar
Bug bounty
Public

Telenor Sweden Public Bug Bounty Program

Telecommunication

Reward

Bounty
Hall of fame
€50
Low
€100
Medium
€500
High
€2,000
Critical
€5,000

Program

Avg reward
-
Max reward
-
Scopes
7
Supported languages
English

Hacktivity

Reports
1051
1st response
< 1 day
Reports last 24h
1
Reports last week
10
Reports this month
31

At Telenor we recognize the important role that security researchers play in helping to keep Telenor Sverige AB and our customers secure.

By participating in this program you acknowledge that you have read and agreed to these Program Rules.

Scope of this program

We aim to test most of our assets through this program.
Nevertheless, we ask you to read carefully the list of exclusions (Out-of-Scope) before starting; some domains are related to Telenor's customers, these should not be tested and will not be eligible for a reward anyway.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Telenor Sverige AB, however, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
  • You must send a clear description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service. (Please respect this, DoS not in scope)
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of Telenor or one of its contractor.
  • No vulnerability disclosure, including partial, is allowed. This includes resolved and closed reports.

Required Submission Information

For all submissions, please include a full description of the vulnerability, including exploitability and impact. Also, provide evidence of the issue, such as:

  • Videos
  • Screenshots
  • PoC code
  • Traffic logs
  • Web/API requests and responses
  • Email/user ID of test accounts
  • IP address used during testing
  • For RCE reports, see the RCE Rules section below

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitive information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Remote Code Execution (RCE) and Cross-Site Scripting (XSS):

RCE Rules

Allowed Actions:

  • Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
  • Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:

  • Uploading files that allow arbitrary commands (i.e. a webshell)
  • Modifying any files or data, including permissions
  • Deleting any files or data
  • Interrupting normal operations (e.g. triggering a reboot)
  • Creating and maintaining a persistent connection to the server
  • Intentionally viewing any files or data beyond what is needed to prove the vulnerability
  • Failing to disclose any actions taken or applicable required information

For reports, please include:

  • Source IP and timestamp (with time zone)
  • Server request and responses
  • Filenames of any uploaded files, which must include “telenor_ywh” and the timestamp
  • Callback IP and port (if applicable)
  • Any data accessed (deliberately or inadvertently)

About XSS

Unless you can demonstrate a specific situation where an XSS becomes a "HIGH" or "CRITICAL" finding, it is likely an XSS vulnerability will score as "MEDIUM".

In this case, and if you want your report to be rewarded as a ‘High’ or ‘Critical’ finding, please provide a realistic, proven and step by step detailed scenario of exploitability, including elements that could be modified through this exploit, or actions that could be undertaken on behalf of targeted user.

For example : XHR request to modify account information and could lead to an account take over.

There is also a certain chance, that similar XSS exploits on different endpoints or parameters are caused by the same underlying input validation weakness. If that is the case, we reserve the right to honor only a single report and to reject the other ones as ‘Duplicate’/’Informative’.

Program Terms

Termination

In the event (i) you breach any of these Program Rules or the terms and conditions of YesWeHack platform; or (ii) Telenor determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact Telenor (including, but not limited to, presenting any threat to Telenor’s systems, security, finances and/or reputation) Telenor may immediately terminate your participation in this Bug Bounty Program.

Confidentiality

Any information you receive or collect about Telenor or any Telenor user through this Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Telenor sites, without Telenor’s prior written consent.

Changes to Program Rules

The Bug Bounty Program, including its policies, is subject to change or cancellation by Telenor at any time, without notice. As such, Telenor may amend these Program Rules at any time by posting a revised version on YesWeHack platform. By continuing to participate in the Program after Telenor posts any such changes, you accept the Program Terms, as modified.

Contact

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please reach out to yeswehack@telenor.se before going any further.

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Low
€100€500€2,000€5,000

Scopes

ScopeTypeAsset value
*.telenor.se Web application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.bredbandsbolaget.se Web application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.europolitan.se Web application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.ownit.se Web application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.vimla.se Web application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.vimla.work Web application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.vimla.io Web application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000

Out of scopes

  • *.bbcust.telenor.se
  • *.cust.telenor.se
  • *.sme.telenor.se
  • *.cust.bredbandsbolaget.se
  • *.customers.ownit.se
  • *.cust.ownit.se
  • stage-vimla-se.vimla.io
  • Any domain that looks like it's owned by a third party or customer due customer's privacy
  • Mobile services and devices provided by Telenor Sweden and subsidiaries not reachable from Internet
  • Telenor ID
  • Other business units of the Telenor Group - including *.telenor.com

Vulnerability types

Qualifying vulnerabilities

  • Remote code execution (RCE)
  • Server Side Injection (SSTI, SQLi, PHP, ...)
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Cross-Site Scripting (XSS)
  • Cross-Site Requests Forgery (CSRF) with real security impact
  • Insecure direct object references (IDOR)
  • CORS with real security impact
  • Horizontal and vertical privilege escalation
  • Business Logic Errors
  • Exposed secrets, credentials or sensitive information, disclosed by Telenor, on an asset under our control and affecting at least one of our scopes
  • Authentication bypass and broken access control
  • Cache poisoning or other vulnerabilities that disrupt availability without relying on volumetric attacks or resource exhaustion (e.g., race conditions, algorithmic complexity exploits).
  • Clickjacking/UI redressing on pages with real security impact
  • User enumeration (email, alias, GUID, phone number) unless clearly public data

Non-qualifying vulnerabilities

  • Any hypothetical flaw or best practices without exploitable PoC
  • Self reflected injections (i.e, html/xss injection that can't impact others)
  • Open redirection to non-Telenor owned domain
  • Mixed content warnings
  • Denial of Service (DOS) attacks that cause degradation of services
  • Social engineering of any kind
  • Presence of autocomplete attribute on web forms
  • TLS / SSL
  • Attacks requiring MITM or physcial access to victim's device
  • Issues that require unlikely user interaction
  • Low impact or low-severity Cross-Site Request Forgery (CSRF) attacks
  • Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
  • Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
  • Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of Telenor's control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full working PoC
  • Blind SSRF without direct impact (e.g. DNS pingback)
  • Lack of rate-limiting, brute-forcing or captcha issues
  • Disclosed / Misconfigured API Key without exploitable PoC or business impact
  • Password reset token leak on trusted third-party website via Referer header (e.g. Google Analytics, Facebook…)
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
  • Recently disclosed 0-day vulnerabilities (less than 30 days since patch release)
  • Ability to spam users (email / SMS / direct messages flooding) except through Telenor services.
  • Vulnerabilities affecting outdated browsers or platforms
  • CSV injection

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

Type of leak
Source of leak is in-scope
Source of leak belongs to the Organization and is out-of-scope
Source of leak does not belong to the Organization and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset)
checked Eligible
checked Not eligible
checked Not eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset)
checked Eligible
checked Not eligible
checked Not eligible

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.
program thumbnail
To submit a vulnerability report, you need to login with your hunter account.