avatar
Bug bounty
Public

Telenor Sweden Public Bug Bounty Program

Telecommunication

Reward

Bounty
Hall of fame
€50
Low
€100
Medium
€500
High
€2,000
Critical
€5,000

Program

Avg reward
-
Max reward
-
Scopes
7
Supported languages
English

Hacktivity

Reports
850
1st response
< 1 day
Reports last 24h
4
Reports last week
8
Reports this month
16

At Telenor we recognize the important role that security researchers play in helping to keep Telenor Sverige AB and our customers secure.

By participating in this program you acknowledge that you have read and agreed to these Program Rules.

Scope of this program

We aim to test most of our assets through this program.
Nevertheless, we ask you to read carefully the list of exclusions (Out-of-Scope) before starting; some domains are related to Telenor's customers, these should not be tested and will not be eligible for a reward anyway.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Telenor Sverige AB, however, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
  • You must send a clear description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service. (Please respect this, DoS not in scope)
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of Telenor or one of its contractor.
  • No vulnerability disclosure, including partial, is allowed. This includes resolved and closed reports.

Required Submission Information

For all submissions, please include a full description of the vulnerability, including exploitability and impact. Also, provide evidence of the issue, such as:

  • Videos
  • Screenshots
  • PoC code
  • Traffic logs
  • Web/API requests and responses
  • Email/user ID of test accounts
  • IP address used during testing
  • For RCE reports, see the RCE Rules section below

Reports of leaks and exposed credentials

We are open to some types of reports related to exposed secrets, credentials or information.

Please pay attention to our list of Qualifying/Non-Qualifying vulnerabilities, as well as our Scope and the following rules.

In the context of this program, we do not intend to encourage, accept or reward reports of leaks or exposed credentials.
We will only consider vulnerabilities or leaks that are identified directly on the scope of this program.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behaviour (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials on an out-of-scope assets
  • Exposed GitHub/GitLab (or similar) instance
  • Exposed secrets (e.g. API tokens/keys or other technical credentials)
  • Exposed PII on an out-of-scope asset

To summarize our policy, you may refer to this table :

Source of leak is in-scope Source of leak is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Not Eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not Eligible

Remote Code Execution (RCE) and Cross-Site Scripting (XSS):

RCE Rules

Allowed Actions:

  • Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
  • Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:

  • Uploading files that allow arbitrary commands (i.e. a webshell)
  • Modifying any files or data, including permissions
  • Deleting any files or data
  • Interrupting normal operations (e.g. triggering a reboot)
  • Creating and maintaining a persistent connection to the server
  • Intentionally viewing any files or data beyond what is needed to prove the vulnerability
  • Failing to disclose any actions taken or applicable required information

For reports, please include:

  • Source IP and timestamp (with time zone)
  • Server request and responses
  • Filenames of any uploaded files, which must include “telenor_ywh” and the timestamp
  • Callback IP and port (if applicable)
  • Any data accessed (deliberately or inadvertently)

About XSS

Unless you can demonstrate a specific situation where an XSS becomes a "HIGH" or "CRITICAL" finding, it is likely an XSS vulnerability will score as "MEDIUM".

In this case, and if you want your report to be rewarded as a ‘High’ or ‘Critical’ finding, please provide a realistic, proven and step by step detailed scenario of exploitability, including elements that could be modified through this exploit, or actions that could be undertaken on behalf of targeted user.

For example : XHR request to modify account information and could lead to an account take over.

There is also a certain chance, that similar XSS exploits on different endpoints or parameters are caused by the same underlying input validation weakness. If that is the case, we reserve the right to honor only a single report and to reject the other ones as ‘Duplicate’/’Informative’.

Program Terms

Termination

In the event (i) you breach any of these Program Rules or the terms and conditions of YesWeHack platform; or (ii) Telenor determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact Telenor (including, but not limited to, presenting any threat to Telenor’s systems, security, finances and/or reputation) Telenor may immediately terminate your participation in this Bug Bounty Program.

Confidentiality

Any information you receive or collect about Telenor or any Telenor user through this Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Telenor sites, without Telenor’s prior written consent.

Changes to Program Rules

The Bug Bounty Program, including its policies, is subject to change or cancellation by Telenor at any time, without notice. As such, Telenor may amend these Program Rules at any time by posting a revised version on YesWeHack platform. By continuing to participate in the Program after Telenor posts any such changes, you accept the Program Terms, as modified.

Contact

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please reach out to yeswehack@telenor.se before going any further.

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Low
€100€500€2,000€5,000

Scopes

ScopeTypeAsset value
*.telenor.se web-application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.bredbandsbolaget.se web-application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.europolitan.se web-application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.ownit.se web-application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.vimla.se web-application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.vimla.work web-application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000
*.vimla.io web-application
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000

Out of scopes

  • *.bbcust.telenor.se
  • *.cust.telenor.se
  • *.sme.telenor.se
  • *.cust.bredbandsbolaget.se
  • *.customers.ownit.se
  • *.cust.ownit.se
  • stage-vimla-se.vimla.io
  • Any domain that looks like it's owned by a third party or customer due customer's privacy
  • Mobile services and devices provided by Telenor Sweden and subsidiaries not reachable from Internet
  • Connect ID - Hosted by Telenor Group
  • Other business units of the Telenor Group - including *.telenor.com

Vulnerability types

Qualifying vulnerabilities

  • Remote code execution (RCE)
  • Server Side Injection (SSTI, SQLi, PHP, ...)
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Cross-Site Scripting (XSS)
  • Cross-Site Requests Forgery (CSRF) with real security impact
  • Insecure direct object references (IDOR)
  • CORS with real security impact
  • Horizontal and vertical privilege escalation
  • Business Logic Errors
  • Exposed secrets, credentials or sensitive information, disclosed by Telenor, on an asset under our control and affecting at least one of our scopes
  • Authentication bypass and broken access control
  • Cache poisoning or other vulnerabilities that disrupt availability without relying on volumetric attacks or resource exhaustion (e.g., race conditions, algorithmic complexity exploits).
  • Clickjacking/UI redressing
  • User enumeration (email, alias, GUID, phone number) unless clearly public data

Non-qualifying vulnerabilities

  • Any hypothetical flaw or best practices without exploitable PoC
  • Self reflected injections (i.e, html/xss injection that can't impact others)
  • Open redirection to non-Telenor owned domain
  • Mixed content warnings
  • Denial of Service (DOS) attacks that cause degradation of services
  • Social engineering of any kind
  • Presence of autocomplete attribute on web forms
  • TLS / SSL
  • Attacks requiring MITM or physcial access to victim's device
  • Issues that require unlikely user interaction
  • Low impact or low-severity Cross-Site Request Forgery (CSRF) attacks
  • Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
  • Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
  • Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of Telenor's control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full working PoC
  • Blind SSRF without direct impact (e.g. DNS pingback)
  • Lack of rate-limiting, brute-forcing or captcha issues
  • Disclosed / Misconfigured API Key without exploitable PoC or business impact
  • Password reset token leak on trusted third-party website via Referer header (e.g. Google Analytics, Facebook…)
  • Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
  • Recently disclosed 0-day vulnerabilities (less than 30 days since patch release)
  • Ability to spam users (email / SMS / direct messages flooding) through except telenor services.
  • Vulnerabilities affecting outdated browsers or platforms
  • CSV injection

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.
program thumbnail
To submit a vulnerability report, you need to login with your hunter account.