avatar
Bug bounty
Public

ZECIBLE PUBLIC BUG BOUNTY PROGRAM

Zecible provides companies with a selection of prospecting files of professionals and individuals

Reward

Bounty
€100
Low
€100
Medium
€200
High
€1,500
Critical
€2,000

Program

Avg reward
-
Max reward
-
Scopes
17

Supported languages
English
French

Hacktivity

Reports
104
1st response
< 1 day
Reports last 24h
-
Reports last week
-
Reports this month
-

PROGRAM UPDATES

Version 10

  • Modification of 1 scope
    • serveur10.notebleue.com to serveur12.notebleue.com
  • Addition of rules for reporting leaks and exposed credentials

Version 9

  • Modifications of 2 scopes
    • odoo13.notebleue.pro to odoo14.notebleue.pro

Version 8

  • Increase all the reward grids "Low", "Medium", "High" & "Critical"

Version 7

  • Removed scopes (no longer relevant)
    1. ywh.www.zebottin.fr
    2. ywh.static.zebottin.fr

Version 6

  • Migrated all MySQL tables to MongoDB collections (in preparation for a future load-balanced configuration)

Version 5

  • Addition of note concerning some restricted scopes.

Version 4

  • Increase in the reward grids "High" & "Critical"
  • Addition of 7 new scopes :
    • ywh.update.zecible.fr
    • odoo13.notebleue.pro
    • registre.notebleue.pro
    • svn.notebleue.pro
    • todo.notebleue.pro
    • webtoolbox.notebleue.pro
    • cam.notebleue.pro

Version 3

  • Addition of 6 new scopes :

    • ywh.api.zecible.fr
    • ywh.dev.zecible.fr
    • ywh.crons.zecible.fr
    • ywh.routage.zecible.fr
    • ywh.www.zebottin.fr
    • ywh.static.zebottin.fr
  • Renaming of 5 scopes

    • dev.comptage.zecible.fr to ywh.comptage.zecible.fr
    • dev.static.zecible.fr to ywh.static.zecible.fr
    • dev.fichiers.zecible.fr to ywh.fichiers.zecible.fr
    • dev.mydata.zecible.fr to ywh.mydata.zecible.fr
    • dev.admin.zecible.fr to ywh.admin.zecible.fr

Version 2

  • Addition of 3 new scopes :
    • dev.fichiers.zecible.fr
    • dev.mydata.zecible.fr
    • dev.admin.zecible.fr

Version 1

  • Inital program submission.

PUBLIC PROGRAM DESCRIPTION

Company

Note Bleue via its Zecible brand provides companies with a selection of prospecting files of professionals and individuals :

  • 33 million B2C profiles with many profiling criteria (age, income, sex, interests, etc.)

  • 11 million companies (head offices, establishments, turnover, workforce, sector of activity, etc.)

  • 1.9 million direct contacts of Executives, Decision-makers, and Executives classified by function and service

Program Rules

  • We have a team of in-house developers, who will be ready to be responsive to your reports and work collaboratively with you if you think you have identified a security bug.

  • Although we pay attention to the security aspects of our servers and applications, we also know that nothing is infallible...

  • We are pleased to work with qualified people to help us identify the weaknesses of our technology.

  • Any type of denial of service attack is strictly prohibited, as well as any interference with our network, equipment or infrastructure.

  • We do not want the discoveries to be disclosed to the public or to a third party.

Eligibility and Responsible Disclosure

We want to financially reward all those who submit valid reports to us and help us improve the security of our services. The eligibility requirements for receiving rewards after discoveries of deficiencies are as follows :

  • You must be the first person to reveal a valid vulnerability (not every duplicate report will be rewarded),

  • The vulnerability must be an acceptable vulnerability associated with a site or server in "Scope".

  • Any vulnerabilities found must be reported within 24 hours of discovery and only through the Bug bounty program at www.yeswehack.com

  • You must not publicly disclose any vulnerabilities,

  • You must send a clear textual description of the report and the steps to follow to reproduce the issue, including attachments such as screenshots or proof of concept code if necessary.

  • You must not perform tests that could cause a degradation or interruption of our service (avoid using automated tools, and limit yourself to a maximum of 2 requests per second).

  • You must not disclose, manipulate, extract or destroy any user data or any data to which you have access.

  • You must not be a former or current employee of Zecible or one of its subcontractors.

  • Please focus on qualifying vulnerabilities

  • We intend to respond and resolve the reported issues as quickly as possible. Depending on our workload and the severity of the issue, you can expect an update from us within 24 to 96 hours maximum following the initial submission date of the report.

  • Zecible reserves the right to modify the terms of this program or terminate it at any time.

What is the sensitive data

  • All information from the databases.

  • Any private information about our customers, employees or one of our vendors / subcontractors.

REWARDS

Zecible will provide rewards to eligible reporters of qualifying vulnerabilities.

Reward amounts may vary depending upon the severity of the vulnerability reported and based on the CVSS environmental score (Zecible will rate the base, temporal and environmental CVSS metrics).

Zecible will determine in its sole discretion whether a reward should be granted and the amount of the reward.

COMMUNICATION CHANNEL

If you think you’ve found a vulnerability, please do not publicly disclose these details outside of this process without explicit permission. Please include the following details with your report and be as descriptive as possible :

  • Vulnerability Location & Type - The exact location(vulnerable URLs and parameters) and the nature of the vulnerability;

  • Steps to Reproduce - A detailed description of the steps required to reproduce the vulnerability (screenshots, compressed screen recordings, and proof-of-concept scripts are all helpful); and

  • Attack Scenario - A relevant example attack scenario explaining the prerequisites to the attack, and its exact impact in a realistic context.

NOTE CONCERNING SOME RESTRICTED SCOPES

Some scopes are restricted (IP/Login/Password) and reserved for internal use. They are supposed to be accessed only by Zecible and are strictly confidential.

It is therefore expected that you do not (easily) access them... We included them in the public program in order to test the accuracy of the defined restrictions.

Here are all the scopes concerned :

  1. odoo13.notebleue.pro
  2. registre.notebleue.pro
  3. svn.notebleue.pro
  4. todo.notebleue.pro
  5. webtoolbox.notebleue.pro
  6. cam.notebleue.pro

REPORTS OF LEAKS AND EXPOSED CREDENTIALS

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:

  • Exposed credentials in/from an out-of-scope asset/source
  • Sensitive information exposed in/from an out-of-scope asset/source

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials that are not applicable on the program’s scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related tothe program’s scope
  • Exposed PII on an out-of-scope asset

Eligible reports

Reports of exposed secrets, credentials and sensitive information will be considered eligible if it complies with the following :

  • The source of exposure/leak is under Zecible control, directly or indirectly. (e.g. stolen information or bundled information from a random source is not eligible)
  • The exposed information has been verified (or tested) and confirmed
    If you identify a source (under our control) that is leaking multiple data, we kindly ask you to report it in a single report and we will consider the impact based on the nature and depth of the exposed data.

To summarize our policy, you may refer to this table :

Impact is in-scope Impact is out-of-scope
Source of leak is in-scope Eligible Eligible
Source of leak belongs to Zecible but is out-of-scope Eligible Not Eligible
Source of leak does not belong to Zecible and is out-of-scope Not Eligible Not Eligible

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Qualifying vulnerabilities

  • Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes.

Non-Qualifying vulnerabilities

  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
€100€200€1,500€2,000

Scopes

ScopeTypeAsset value
serveur12.notebleue.com web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.comptage.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.static.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.fichiers.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.mydata.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.admin.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.api.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.dev.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.crons.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.routage.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
ywh.update.zecible.fr web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
odoo14.notebleue.pro web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
registre.notebleue.pro web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
svn.notebleue.pro web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
todo.notebleue.pro web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
webtoolbox.notebleue.pro web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000
cam.notebleue.pro web-application
Critical
Low
€100
Medium
€200
High
€1,500
Critical
€2,000

Out of scopes

  • Anything that is not listed explicitly in the scope.
  • Vulnerabilities reported on other services or applications are not allowed.

Vulnerability types

Qualifying vulnerabilities

  • Any reproducible issue that substantially affects our security and our data is likely to constitute a vulnerability for this program. These are listed below :
  • Remote code execution (RCE)
  • Local file disclosure (LFD)
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Code injections (SQL, PHP)
  • OS command injections
  • Broken authentication
  • Horizontal and vertical privilege escalation
  • Insecure deserialization
  • Authentication bypass
  • Directory traversal issues
  • Exposure of configuration files or secrets
  • Access to sensitive data

Non-qualifying vulnerabilities

  • Any un-reproducible issues (without exploitable POC) or that does not affect our security or our data is outside the scope of this program (either ineligible or false positive) :
  • Cross-site request forgery (CSRF)
  • Cross-site scripting (XSS)
  • Open redirect (ORED)
  • Content spoofing / text injection
  • Exposure of internal tools
  • Physical or social engineering
  • Issues that require physical access to a victim’s computer/device or any physical attempts against Zecible offices or data centers
  • Stack traces or path disclosure
  • Clickjacking
  • Extension manipulation
  • Right To Left Override and related issues (RTLO)
  • Insecure direct object references (IDOR)
  • Missing cookie flags (HttpOnly and Secure) / cookie weaknesses
  • HTTP(S) configurations derivations from "state of the art" (such as HSTS settings, "weak" TLS ciphers, best practices, etc)
  • Homograph Attack
  • Information / Software version disclosure
  • Mixed content warnings
  • Denial of service attacks (DOS)
  • Missing security headers which do not directly lead to a vulnerability
  • Missing autocomplete attributes
  • Recently disclosed 0-day vulnerabilities
  • Vulnerabilities affecting outdated or unpatched browsers and platforms
  • Invalid, incomplete or missing SPF/DKIM/DMARC
  • Reports from automated tools or scanners (Acunetix, Vega, etc.) that have not been validated
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Absence of rate-limiting
  • Use of a known-vulnerable library without evidence of exploitability
  • Issues related to software or protocols not under Zecible control
  • Reports of spam
  • Concerns related to email domain authentication
  • Brute force / user enumeration / password reuse attacks
  • Massive automated actions through robots/crawling (except if it gathers sensitive information)
  • CORS configuration (except if you can show a way to exploit this vulnerability to compromise sensitive information)

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.