Welcome to the Bug Bounty program of BurdaForward!

We are committed to improving digital security; and that’s why we need YOU! 
In our vulnerability report program, we reward every researcher, who is following our rules, for bringing up flaws, vulnerabilities and bugs in our services with a monetary “bounty” and / or a ranking in our Hall of Fame!

Rules

Responsible Disclosure:

  • Please note that the evaluation and review process will be given sufficient time.
    You will be notified as soon as your eligible report has been reviewed and evaluated.
  • You did not perform any attack that could harm the reliability / integrity of our services or data
  • Publication of an unfixed bug or personal information of users is not eligible and can lead to legal actions against you

In-Scope Domains

 

In-Scope applications

FOCUS Online – Nachrichten
Im Google Play Store
Im App Store

FOCUS Online – Top Nachrichten
Im Google Play Store

​​CHIP – News, Tests & Beratung
Im Google Play Store

CHIP
Im Google Play Store
Im App Store

Finanzen100 Börse & Aktien
Im Google Play Store
Im App Store

Währungsrechner – Finanzen100
Im Google Play Store
Im App Store

BestCheck
Im Google Play Store
Im App Store
 

Out-of-Scope vulnerabilities:

  • DDos Attacks
  • Spamming
  • Phishing
  • Social Engineering
  • Physical Access to one of our devices or facilities
  • Bugs, which have no security impact 
  • Self – XSS
  • Default files available via web (e.g. README.txt, CHANGES.txt, etc.)
  • HTTP 404 codes / pages or other non-200 codes / page
  • CSRF on forms that are available to anonymous users, for example contact forms
  • Disclosure of known public files or directories (e.g. robots.txt)
  • HTTPS mixed content scripts
  • TLS /SSL
  • http security headers
  • Open Redirects
  • Vulnerability Third-Party (e.g. CDN)
  • Missing SPF or DMARC records 
  • Automatic scan results without an eligible PoC
  • Bugs requiring exceedingly unlikely user interaction

 

Also, NOT eligible:

  • Reporting an already publicly disclosed vulnerability
  • Accessing a user’s account without their consent
  • The probability of your exploit is low
  • Reports, which do not follow the rules of an eligible report

 

Reporting policy

Important: Your report must be sent via an encrypted email.
Emails without encryption are not compliant with our eligible report policy and will not be reviewed.

An eligible report contains:

  • Only ONE eligible vulnerability per report
  • A title (including vulnerability type and the domain or subdomain)
  • A concise description of reproducible steps (screenshots may be helpful)
  • A realistic concept of the exploitability and its impact
  • Application report: Add your OS and its version
  • Optional: Your (nick)name and a link to your twitter / XING / GitHub or website you want to be displayed in our Hall of Fame
  • NOTE:  Your report must be reproducible and precise! 

 

Rewards

The minimum reward for every eligible report is a mentioning in our Hall of Fame. 
Reward payment amounts are based on the severity, impact and quality of your report. 
The recipient is responsible for the correct taxation of his reward.

Einreichen Deines Berichtes

  • Send an encrypted E-Mail to security@burda-forward.de   containing your eligible report using our Public PGP-Key.

If you have any further questions, feel free to contact us at security@burda-forward.de 
Please note that our scopes are not static and can be updated at any time.

Status: 18.02.2019