Our Bug Bounty Program
Your Feedback Pays off
Even though we make every effort to provide absolutely reliable systems, unexpected vulnerabilities may occur. In order to identify these and rectify them as quickly as possible, we reward any such reports as part of our bug bounty program.
Help us Closing Security Gaps
Greenmark IT GmbH operates a bug bounty program to increase the security of its products. The term „bug bounty“ refers to the rewarding of reported vulnerabilities.
As part of Greenmark IT GmbH’s bug bounty initiative, the following systems and websites are considered relevant and reported bugs rewarded:
- API (core.do.de / core.resellerinterface.de)
- Backend System (my.do.de / my.resellerinterface.de)
- Services under *.do.de
- Websites (www.do.de and resellerinterface.com)
The amount of the reward depends on the severity of the error and the degree of vulnerability. Additional tips are always welcome but cannot be rewarded with a bounty.
Legal representatives, current and former employees of Greenmark IT GmbH and its affiliated companies as well as their relatives may not participate in the Greenmark IT GmbH Bug Bounty Program. Minors may only participate with the consent of their legal representatives.
Responsible Disclosure
Responsible disclosure must fulfill the following conditions:
- The Responsible Disclosure Policy must be followed. This means, security vulnerabilities shall not be published until they have been rectified by us. The Responsible Disclosure Policy applies for a period of 90 days.
- The vulnerability must not have been officially known beforehand.
- It must be the first report of this specific vulnerability. If the vulnerability has already been reported, no bounty can be paid out.
- The vulnerability must have been discovered without the use of scanning tools.
- The vulnerability must not be based on an outdated third-party software component.
- A bug bounty report must contain an example (one-time request or PoC code) and a description of the vulnerability.
- So-called „fuzzing“ or „brute force“ must be refrained from and do not entitle to the payment of a bug bounty.
- If availability is restricted, a service is prevented or high resource utilization occurs due to a vulnerability found, this must be stopped immediately, and the bug bounty report must be submitted without delay.
- Real accounts can be used for testing purposes. However, the access, use, distribution, and manipulation of third-party account data without their consent is prohibited.
- Physical attacks on the operator of the network infrastructure do not qualify for a bounty.
- If internal data (source code or customer data) is „captured“, it must be kept securely under lock and key and irretrievably deleted at the latest upon our request. If a corresponding vulnerability is identified, further reading must be stopped, and the bug bounty report must be submitted immediately.
Important Notes on Bug Bounty Reports
- The bug bounty program focuses exclusively on the websites and systems of Greenmark IT GmbH.
- Only vulnerabilities in the above-mentioned websites and systems are considered relevant in the context of the bug bounty initiative.
- We are always grateful for further helpful tips and information. However, these will not necessarily be remunerated.
- There is the possibility of future expansion of this bug bounty program. Please feel free to ask.
- Please submit a single report for each vulnerability found.
Send us Your Bug Bounty Reports
Please send individual reports to the following e-mail address:
security@greenmark-it.de