Reward
Program
Hacktivity
At Telenor we recognize the important role that security researchers play in helping to keep Telenor Sverige AB and our customers secure.
By participating in this program you acknowledge that you have read and agreed to these Program Rules.
Scope of this program
We aim to test most of our assets through this program.
Nevertheless, we ask you to read carefully the list of exclusions (Out-of-Scope) before starting; some domains are related to Telenor's customers, these should not be tested and will not be eligible for a reward anyway.
Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of Telenor Sverige AB, however, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
- You must send a clear description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must avoid tests that could cause degradation or interruption of our service. (Please respect this, DoS not in scope)
- You must not leak, manipulate, or destroy any user data.
- You must not be a former or current employee of Telenor or one of its contractor.
- No vulnerability disclosure, including partial is allowed for the moment.
Bug Submission Requirements
Required information
For all submissions, please include:
Full description of the vulnerability being reported, including the exploitability and impact
Evidence and explanation of all steps required to reproduce the submission, which may include:
- Videos
- Screenshots
- PoC code
- Traffic logs
- Web/API requests and responses
- Email address or user ID of any test accounts
- IP address used during testing
- For RCE submissions, see below
Remote Code Execution (RCE) Testings and Reporting Guidelines:
Report details must include :
- Source IP address
- Timestamp, including time zone
- Full server request and responses
- Filenames of any uploaded files, which must include “telenor_ywh” and the timestamp
- Callback IP and port, if applicable
- Any data that was accessed, either deliberately or inadvertently
Allowed Actions:
- Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
- Uploading a file that outputs the result of a hard-coded benign command
Prohibited Actions:
- Uploading files that allow arbitrary commands (i.e. a webshell)
- Modifying any files or data, including permissions
- Deleting any files or data
- Interrupting normal operations (e.g. triggering a reboot)
- Creating and maintaining a persistent connection to the server
- Intentionally viewing any files or data beyond what is needed to prove the vulnerability
- Failing to disclose any actions taken or applicable required information
About Cross-Site-Scripting (XSS)
Unless you can demonstrate a specific situation where an XSS becomes a "HIGH" or "CRITICAL" finding, it is likely an XSS vulnerability will score as "MEDIUM".
In this case, and if you want your report to be rewarded as a ‘High’ or ‘Critical’ finding, please provide a realistic, proven and step by step detailed scenario of exploitability, including elements that could be modified through this exploit, or actions that could be undertaken on behalf of targeted user.
For example : XHR request to modify account information and could lead to an account take over.
There is also a certain chance, that similar XSS exploits on different endpoints or parameters are caused by the same underlying input validation weakness. If that is the case, we reserve the right to honor only a single report and to reject the other ones as ‘Duplicate’/’Informative’.
Program Terms
Termination
In the event (i) you breach any of these Program Rules or the terms and conditions of YesWeHack platform; or (ii) Telenor determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact Telenor (including, but not limited to, presenting any threat to Telenor’s systems, security, finances and/or reputation) Telenor may immediately terminate your participation in this Bug Bounty Program.
Confidentiality
Any information you receive or collect about Telenor or any Telenor user through this Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Telenor sites, without Telenor’s prior written consent.
Changes to Program Rules
The Bug Bounty Program, including its policies, is subject to change or cancellation by Telenor at any time, without notice. As such, Telenor may amend these Program Rules at any time by posting a revised version on YesWeHack platform. By continuing to participate in the Program after Telenor posts any such changes, you accept the Program Terms, as modified.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€50 | €400 | €1,500 | €4,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
*.telenor.se | web-application | ||
Low Medium High Critical | |||
*.bredbandsbolaget.se | web-application | ||
Low Medium High Critical | |||
*.europolitan.se | web-application | ||
Low Medium High Critical | |||
*.ownit.se | web-application | ||
Low Medium High Critical | |||
*.vimla.se | web-application | ||
Low Medium High Critical | |||
*.vimla.work | web-application | ||
Low Medium High Critical | |||
*.vimla.io | web-application | ||
Low Medium High Critical |
Out of scopes
- *.bbcust.telenor.se
- *.cust.telenor.se
- *.sme.telenor.se
- *.cust.bredbandsbolaget.se
- *.customers.ownit.se
- *.cust.ownit.se
- stage-vimla-se.vimla.io
- Any domain that looks like it's owned by a third party or customer due customer's privacy
- Mobile services and devices provided by Telenor Sweden and subsidiaries not reachable from Internet
- Connect ID - Hosted by Telenor Group
- Other business units of the Telenor Group - including *.telenor.com
Vulnerability types
Qualifying vulnerabilities
- Remote code execution (RCE)
- Server Side Injection (SSTI, SQLi, PHP, ...)
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Cross-Site Scripting (XSS)
- Cross-Site Requests Forgery (CSRF) with real security impact
- Insecure direct object references (IDOR)
- CORS with real security impact
- Horizontal and vertical privilege escalation
- Business Logic Errors
- Exposed credentials, disclosed by Telenor or its employees, that pose a valid risk to an in scope asset
Non-qualifying vulnerabilities
- HTML Injection
- Open redirection, except in the following circumstance (Clicking a Telenor-owned URL immediately results in a redirection ; A redirection results in the loss of sensitive data (e.g. session tokens, PII, etc))
- Tabnabbing
- Missing cookie flags
- Content/Text injections
- Mixed content warnings
- Clickjacking/UI redressing
- Denial of Service (DoS) attacks
- Known CVEs without working PoC
- Open ports without real security impact
- Social engineering of staff, contractors or customers.
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers or platforms
- Self-XSS or XSS that cannot be used to impact other users
- Outdated libraries without a demonstrated security impact
- Any hypothetical flaw or best practices without exploitable PoC
- Expired certificate, best practices and other related issues for TLS/SSL certificates
- Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
- Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
- Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
- Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
- Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of Telenor's control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
- CSV injection
- HTTP Strict Transport Security Header (HSTS)
- Subdomain takeover without a full working PoC
- Blind SSRF without direct impact (e.g. DNS pingback)
- Lack of rate-limiting, brute-forcing or captcha issues
- User enumeration (email, alias, GUID, phone number)
- Password requirements policies (length / complexity / reuse)
- Ability to spam users (email / SMS / direct messages flooding)
- Disclosed / misconfigured Google API key (including Google Maps)
- Recently disclosed 0-day vulnerabilities (less than 30 days since patch release)
- Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.