Bug and Security Policy
The team at eventplanner.net is highly dedicated to safeguarding the data of our users. As a small company, we focus our efforts on collaborating with a select array of security researchers and tools. We are fortunate to have the trust and support of our community. Therefore, we do not offer a traditional 'bounty programme' with financial rewards.
We welcome dedicated security researchers who identify legitimate vulnerabilities with substantial implications to share their findings with us. We hold ethical hackers in high esteem for their crucial role in maintaining cybersecurity, and while we're a small business with finite means, we contribute to this community. If, on the other hand, your approach predominantly makes use of automated tools to unearth minor issues, and then request a payout, we must inform you that you might end up dissatisfied.
The scope of this Policy is limited to the following domains: eventplanner.net, eventplanner.be, eventplanner.nl, eventplanner.es, eventplanner.de, eventplanner.ie, eventplanner.co.uk, eventplanner.lu, and eventplanner.fr. Please note that the codebase for all these domains is the same, so it’s best to focus your efforts on the main domain, eventplanner.net
Under this Policy, we commit to fixing all accepted bugs in a reasonable time, determined by the severity and complexity.
The official language for this Policy is English, which serves as the principal and governing version. In the case of any discrepancy between the English version of this Policy and any subsequent translations, the English version will take precedence and authority.
Rules of Engagement
If, having read the above information, you still wish to disclose any vulnerabilities to us, you acknowledge that we do not maintain a 'bounty programme', and any potential rewards will be offered based on our criteria for distributing rewards. By submitting your reports, you express your consent and commitment to adhere to the Policy Guidelines and Legal Conditions mentioned in this Policy, acknowledging that you've read and fully understood these terms.
Policy Rules
- Only test vulnerabilities using accounts that you personally own; never compromise or target accounts belonging to other users. eventplanner.net does not provide any supplementary access or accounts, including testing accounts.
- Do not interact with our users' content, such as liking posts, commenting, or requesting offers. To experiment with these features, kindly visit our dedicated test page.
- Never use a finding to compromise or exfiltrate data, or to pivot to other systems. A proof of concept should only be used to demonstrate an issue.
- If the process of discovering a vulnerability results in access to sensitive information, such as personal data or credentials, this information must not be retained, transferred, accessed, or processed in any way following its initial discovery. All instances of sensitive information must be deleted.
- Researchers must not, and are not authorised to, participate in activities that could be disruptive, damaging, or harmful to eventplanner.net, its brands, or users. This includes social engineering, phishing, physical security, and denial of service attacks against users and employees, or eventplanner.net
- When seeking out vulnerabilities, it's forbidden to compromise the integrity, availability, and confidentiality conditions of eventplanner.net applications and services. Any activities that could damage the company's applications, infrastructure, customers, or partners are strictly prohibited.
- While testing SQL injection, any server actions are strictly forbidden except for retrieving information about the current database, its version, the current user, or host name.
- When testing file loading and reading, it's strictly forbidden to read, alter, modify, delete, or replace any server files, including system files.
- Researchers are not permitted to publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorised eventplanner.net employees) or share vulnerabilities with a third party without express written permission from eventplanner.net. Exposing to authorities is only possible after mutual consultation and with the permission of eventplanner.net
- Maintain minimal disruption. Always comply with Policy rules. Do not utilise automated scanners and tools; these tools incorporate payloads that could instigate state changes or damage production systems and data.
- Do not test beyond what is necessary to discover the vulnerability.
- Before potentially causing damage, cease activity, report your findings, and request additional permission to test.
- Under no circumstances shall fraudulent intent or an act of intent to harm be included in the authorisation of this Policy.
Breach of any of these rules could result in ineligibility and legal prosecution.
In relation to this Policy, you commit to abiding by eventplanner.net's Terms of Use and Privacy Policy, along with all applicable laws and regulations, including those laws or regulations governing privacy or lawful data processing.
eventplanner.net retains the authority to revise or amend the terms of this Policy at its discretion. If you are a resident from or an individual located within a country listed on the EU Sanctions Map (as issued by the European Union), you are prohibited from participating.
eventplanner.net neither grants implied nor explicit permission to any person or group of persons to (1) extract and publish personal information or content belonging to eventplanner.net customers or their users without user consent, or (2) alter or corrupt programmes or data that belong to eventplanner.net, its partners, or suppliers with the aim of extracting and publicly disclosing data.
The law of 28 November 2022 (Belgian Law), concerning the protection of those reporting breaches of the European Union or national law established within a legal entity in the private sector, remains in full force.
Employees of eventplanner.net (including former employees), freelancers, contractors, and their personnel, consultants, immediate family members, and individuals residing in the same household are not eligible to receive bounties or rewards of any kind.
Personal Data
The processing of personal data is not included in this Policy. In the event of a specific action or discovery of a vulnerability exposing personal data, eventplanner.net should be contacted immediately to check whether the security investigation can be continued. Processing of personal data is always subject to a signature of a DPA (data processing agreement) under which the guarantees, as stated below, must be ensured:
- only process personal data on the basis of written instructions from eventplanner.net;
- to get written confirmation, all persons authorised to process personal data will have to sign an NDA (non-disclosure agreement), a DPA (data processing agreement), and follow all applicable European legislation, including keeping the data in Europe;
- you need to take appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- obtain the prior consent of eventplanner.net to employ another ethical hacker and oblige the latter to comply with the content of this Policy;
- assist eventplanner.net by means of appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests to exercise the rights of the data subject;
- assist eventplanner.net in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR (security, breach notification, impact analysis, prior consultation), taking into account the nature of the processing and the information available to the ethical hacker;
- notify eventplanner.net without delay as soon as the ethical hacker becomes aware of a personal data breach;
- after participation in the activities under the Policy, delete all personal data or return it to eventplanner.net, and delete existing copies;
- provide eventplanner.net with all necessary information to demonstrate compliance with its obligations, including a register of all categories of processing activities that have been carried out on behalf of eventplanner.net;
- exclude the use of personal data for a purpose other than detecting vulnerabilities in the system or communicating this data to third parties;
Non-Disclosure Agreement
Prior to delving into discussions about identified vulnerabilities under this Policy, including topics such as remuneration, you must first sign a Non-Disclosure Agreement with us. This will serve as a prerequisite before we proceed.
Safe Harbour
eventplanner.net promises not to pursue any legal actions or instigate a law enforcement investigation against a researcher who reports a vulnerability, as long as the researcher strictly adheres to this Policy.
It's important to realise that if your security investigation involves the networks, systems, data, applications, products, or services of another entity (other than us), that entity has the discretion to decide whether to pursue legal proceedings. We do not have the authority to sanction security research on behalf of other organisations. In the event that a third party initiates legal proceedings against you, and you've abided by this Policy, we will take reasonable measures to disclose that your activities were in accordance with this Policy.
This Policy can in no way be an incitement to hacking by third parties.
As always, you must adhere to all relevant laws and regulations.
Before partaking in any activity that could be perceived as contradictory to or unaddressed by this Policy, please send a report to security@eventplanner.net
Testing
The daily web traffic exchanged between eventplanner.net, our associated domains, and our hosting partners generates immense data volumes. When conducting tests, it's beneficial for us if you can distinguish your testing traffic from our regular data and potentially harmful external entities. Therefore, we kindly request you to observe the following steps during your testing:
- Whenever feasible, please use the primary email address that you use for communication with eventplanner.net to register accounts.
- Include your IP address in your bug report. We assure you that this information will be kept confidential and solely used to review logs related to your testing activity.
- Incorporate a unique HTTP header in all your traffic. Proxies like Burp enable easy and automatic addition of headers to all outgoing requests. Inform us about the header you've set so we can easily identify it.
Submitting a Report
If our security team is unable to reproduce or validate an issue, a bounty cannot be granted. To enhance the efficiency of our submission process, we request that submissions include the following:
- A detailed description of the vulnerability
- A guide detailing the steps required to reproduce the reported vulnerability
- Evidence demonstrating exploitability (e.g., screenshot, video)
- Anticipated impact on another user or the organisation
- Suggested CVSSv3 vector and score (excluding environmental and temporal modifiers)
- List of URLs and impacted parameters
- Other vulnerable URLs, additional payloads, proof-of-concept code
- Information on the browser, operating system, and/or app version used during testing
Please note: noncompliance with these minimum requirements may result in the forfeit of a reward.
All supporting evidence and other attachments should be exclusively stored within the report you submit. Refrain from hosting any files on external services. Kindly submit all security reports via email, with attachments, to security@eventplanner.net
Rewards
As stated, we do not operate a traditional 'bounty programme' involving monetary rewards. Nonetheless, we hold a profound respect for ethical hackers and the invaluable work they undertake, so we aim to compensate their efforts, despite our position as a small enterprise with finite resources. This implies we cannot guarantee any fixed reward, but we strive to recompense within the stipulated ranges below.
We categorise bugs based on their severity, which is subjectively determined by eventplanner.net. If rewards are deemed appropriate, the decision is exclusively at the discretion of eventplanner.net, and such rewards, if any, will be processed within a 30-day period. We typically do not offer rewards for vulnerabilities that necessitate excessively complicated interactions or whose impact or security risk is considered minimal. If there's any evidence of policy infractions, rewards may be withheld.
Severity > Possible reward, not guaranteed:
- Critical > € 500
- High > € 150-350
- Medium > € 50
- Low > € 0, but a big thank you
- Informative > € 0
Out of Scope
Certain vulnerabilities are considered out-of-scope. Those out-of-scope vulnerabilities include, but are not limited to:
- Spam
- Scanner output or scanner-generated reports
- Security vulnerabilities in third-party applications, libraries, and third-party websites integrated with eventplanner.net
- Issues that we are already aware of or have been previously reported
- Issues that require unlikely user interaction
- Issues found through automated testing
- Issues related to networking protocols
- Software version disclosure
- Verbose error pages (without proof of exploitability)
- Incomplete/missing SPF/DKIM/DMARC
- Clickjacking/UI redressing
- Use of known vulnerable library (without proof of exploitability)
- Physical attacks
- Intentional open redirects
- Reflected file download
- Autocomplete attribute on web forms
- Disclosure of information that does not present a significant risk
- Vulnerabilities that require social engineering/phishing
- DDoS (distributed denial of service) attacks
- Cross-site request forgery with minimal security impact
- CSV injection
- General best practice concerns (including SSL/TLS)
- Man-in-the-middle attacks
- Host header injections without a specific, demonstrable impact
- Self-XSS, which includes any payload entered by the victim
- Login/logout CSRF
- CSRF and XSS without influencing sensitive data
- Bypass checking for root and jailbreak
- Messages about the disadvantages of using SMS codes
- Unlimited sending of SMS and email
- Issues with emails, SMS or other messaging
- Information about IP addresses, DNS records, and open ports
- Tabnabbing
- Full path disclosure
- Cache-control related issues
- Hypothetical issues that have no practical impact
- Missing cookie flags
- Broken link hijacking
- UX/UI bugs and spelling mistakes
- Publicly released bugs in internet software within 30 days of their disclosure
- Related issues such as 'Same bug, different host/domain', or 'Same payload, different parameter'
- Policies, headers or other settings
Questions
For any enquiries related to our Policy, please reach out to security@eventplanner.net. We appreciate your cooperation.