Bug Bounty Program Policy

Introduction

At advact, we're warmly welcoming those dedicated to strengthening the security of our IT systems. Your insights play a crucial role in fortifying our defenses against potential vulnerabilities.

We specifically invite reports on security concerns that may jeopardize the confidentiality or integrity of user information, user systems, or could be exploited to secretly access advact services.

Should you identify a potential security vulnerability within advact's IT systems, we encourage you to reach out to us through the provided contact information. When submitting your report, kindly include comprehensive information and detailed instructions to assist our security team in reproducing and addressing the identified issue.

Thank you for your commitment to enhancing the security landscape at advact. Let's create a safer digital environment for everyone.

Contact Information

E-Mail: security@advact.ch

Postal address:
advact AG
Aarbergergasse 20
CH-3011 Bern
Switzerland

Scope

The scope of this program covers all assets within the network range mentioned below. We encourage security researchers to explore and report potential vulnerabilities in the systems and services operating in this network.

In Scope:

•  Everything running on the networks 217.148.3.160/28 and 217.148.3.176/28
• This includes, but is not limited to: test-aware.advact.ch, test-dashboard.advact.ch, test-reporting.asbas.ch, test-eml.advact-response.ch and test-reporter.stopphishing.ch

Out of Scope:

• everything not resolving to an IP address within the network mentioned above
• Notably, the following domains are out of scope (as they are not in the mentioned network range): www.advact.ch, www.phishingreporter.ch, www.phishingservice.ch, customerportal.advact.ch

Please direct your attention to the specified network ranges. Note that testing on any assets outside of this range is considered out of scope and it will not be eligible for rewards.

Safe Harbor

Any activities conducted in adherence to this policy will be considered authorized conduct, and advact commits to refraining from initiating legal action against you. In the event that a third party initiates legal proceedings against you in connection with activities conducted under this policy, we will take proactive steps to affirm that your actions were in compliance with this policy.

It's crucial to note that hacking is classified as a major crime under the Swiss Penal Code. By adhering to the rules outlined in this Bug Bounty Program, you are protected from criminal sanctions by advact. However, if there is a violation of these rules, it may result in not only being barred from future program participation but also, advact reserves the right to pursue criminal charges or take civil action against the responsible party.

Any disclosure to third parties about vulnerabilities found may void the Safe Harbor protection.

Prohibited Methods

To safeguard our customers and services, we kindly request that you refrain from publicizing or sharing any information related to potential vulnerabilities.

advact strictly prohibits the following types of security research:

• Performing actions that may have adverse effects on advact or its customers (e.g., social engineering, spam, phishing, denial of service).
• Social engineering any advact employee, contractor, or customer.
• Using vulnerability testing tools or any other automated tools that generate significant traffic (> 1 request/second) which may impact advact's systems.
• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.

Eligibility Criteria for Bug Bounty Program

advact's Bug Bounty Program is designed to encourage responsible security research. The following criteria define who is eligible to participate in the program:

Acceptance of Payment Policies:

Researchers must agree to and comply with our payment guidelines (see section below) to be eligible for bounty rewards.

Exclusion of Insiders:

Employees of advact, as well as suppliers or partners who have inside knowledge or access to advact’s infrastructure, are not eligible to participate. This is to ensure fairness and prevent conflicts of interest.

Compliance with Sanctions Lists:

Participation is not permitted for individuals residing in or located within countries on any U.S. sanctions lists, such as those maintained by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).

Adherence to Swiss Sanctions Lists:

Similarly, participants must not be on the Swiss sanctions list as maintained by the State Secretariat for Economic Affairs (SECO). This is to align with Swiss legal and regulatory standards. Currently this list is located here: https://www.seco.admin.ch/seco/de/home/Aussenwirtschaftspolitik_Wirtschaftliche_Zusammenarbeit/Wirtschaftsbeziehungen/exportkontrollen-und-sanktionen/sanktionen-embargos/sanktionsmassnahmen.html

We reserve the right to modify these eligibility criteria as needed to comply with legal and regulatory changes and to ensure the integrity of our Bug Bounty Program.

Bounties

Monetary rewards, referred to as "Bounties" may be granted at the full discretion of advact. The awarded bounties for eligible reports range from CHF 100 to CHF 1000 (or the equal in USD, see also Section Payment Guideline). The determination of the Bounty amount is made by the Bug Bounty team based on:

• Technical impact of the reported vulnerability
• The business criticality of the impacted system or data
• The quality of the documentation provided to advact

Typically, rewards will be disbursed after the successful remediation of the vulnerability. Subsequently, you will be requested to validate the implemented remediation measures.

To be eligible for a Bounty, the following requirements must be met:

• The vulnerability must affect an in-scope asset (refer to "Scope")
• The vulnerability must be found by using permitted methods (refer to "Prohibited methods")
• You must be the first reporter of the vulnerability
• Reports on vulnerabilities sharing the same root cause (remediation in a single point, e.g. same backend system, same code base, etc.), as well as enumeration of identical vulnerabilities, may be treated as a single report.
• Reports and all communication must be in German or English

Common Minor Bugs:

Low-risk findings such as ‘best practice’ security headers (e.g. CSP, HSTS, etc.) missing cookie flags, version information, or TLS/SSL best-practices are considered non-qualifying, unless they lead to a more significant issue.

Non-Exploitable Issues:

Vulnerabilities requiring unlikely user interaction or theoretical vulnerabilities without practical exploitation scenarios will be excluded (e.g. out-of-date libraries that cannot be exploited).

Rate Limiting Bugs:

Unless they can be exploited in a practical attack, rate limiting issues are excluded.

Response Timelines

advact is committed to prompt and efficient communication with security researchers throughout the bug reporting and resolution process. As a small enterprise, our team might not always math the rapid response times of larger organizations, but we are committed to addressing each bug bounty report with utmost diligence.

Initial Report Acknowledgment:

Upon submission of a bug bounty report, researchers can expect an initial response from our security team within 5-10 business days. This response will confirm the receipt of the report and may include requests for additional information if necessary.

Vulnerability Resolution Timeline:

Our team endeavors to assess and prioritize the reported vulnerabilities based on their severity and potential impact. We target to address and rectify verified vulnerabilities within 90 to 120 days from the acknowledgment of the report. The complexity of the issue and resource availability may influence these timelines. We maintain transparency with researchers about our progress and any anticipated delays.

Payment Processing:

Following the payment guidelines detailed below, bounty disbursements are scheduled net 30 days subsequent to the successful verification and remediation of the reported vulnerability. We will engage with the researcher to confirm that the resolution is satisfactory before processing the payment.

We appreciate your understanding and patience with our process. Our team is committed to fostering a collaborative and respectful relationship with the security research community, ensuring we collectively enhance the cybersecurity landscape.

Payment Guideline

To qualify for and receive bounties, participants must adhere to the following payment guidelines:

Currency and Method:

Bounties are paid either in Swiss Francs (CHF) to Swiss bank accounts or in US Dollars (USD) via PayPal. These are the only accepted methods of payment to ensure compliance with financial regulations and to facilitate a smooth transaction process.

Account Ownership:

Participants must have a bank account registered in the name of the individual or the legal entity (company) participating in the program. We do not authorize payments to accounts that are not directly owned by the reporter for compliance and transparency reasons.

Compliance with Payment Modalities:

Eligibility for bounty awards is contingent upon fulfilling these payment conditions.

Should documentation be necessary for your financial records, we will furnish an invoice reflecting the bounty amount in the name of you or your company upon your request.

Payment Terms:

Bounty payments are processed with a net term of 30 days following the validation of the vulnerability and confirmation of the reward. The bounty encompasses all aspects of the service provided, including but not limited to, the actual bug bounty hunting activities, comprehensive reporting, related expenses, and any ancillary costs.

Tax Liability:

The responsibility for the declaration and payment of taxes lies with you or your company as the bounty recipient, in accordance with the prevailing tax regulations of your locality. Each party is independently responsible for their respective taxes and duties as mandated by law.

In situations where the bounty recipient is unable to accept payment due to any circumstances, we reserve the right to revoke the bounty offer.