Republik AG

Beschreibung

«Republik» is a digital magazine for politics, business, society and culture. It is a service for interested people in a complex world. We research, ask questions, classify and uncover. And provide you with facts and contexts as a basis for your own reflections and decisions.

«Republik» is financed by its more than 28,000 subscribers. We are owned by no one - but a little bit by each of our members. Together we are a rebellion against the media corporations and for media diversity.

«Republik» is completely free of advertising. We disclose everything: our finances, working methods, mistakes, salaries - because we are convinced that transparency is important. Our code base is open source, targets listed below point to the relevant repositories

Regeln

Rules

Republik AG operates various services (platforms, services). Only services from explicitly listed domains / URLs are in the scope of the Bug Bounty Program. All other domains or explicitly listed services are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement.

By participating in this Bug Bounty Program, Friendly Hackers undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. They also agree to keep the found vulnerability secret for 90 days after reporting it on the platform. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of a bug bounty program and to delete any local copies afterwards and not to distribute them further.

Hacking Methods

In participating in the program, ethical hackers agree not to use methods that would adversely affect the tested applications or their users. These include:

Social engineering
Spamming
Phishing
Denial-of-service attacks or other brute force attacks
Physical attacks

In addition to the prohibited hacking methods listed above, Friendly Hackers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.

Criticality Classification

The classification is verified using the Common Vulnerability Scoring System (CVSS, see first.org).

Low: 0.1 – 3.9
Medium: 4.0 – 6.9
High: 7.0 – 8.9
Critical: 9.0 - 10

Qualified vulnerabilities

Any design or implementation problem can be reported that is reproducible and affects security.

Typical examples:

Cross Site Request Forgery (CSRF)
Cross Site Scripting (XSS)
Insecure Direct Object Reference
Remote Code Execution (RCE) - Injection Flaws
Information Leakage an Improper Error Handling
Unauthorized access to properties or accounts

Other examples:

Data/information leaks
Possibility of data/information exfiltration
Backdoors that can be actively exploited
Potential for unauthorized system use
Misconfigurations

Non-qualified vulnerabilities

The following vulnerabilities and forms of documentation are generally not wanted and will be rejected:

Attacks that require physical access to a user's device or network
Forms with missing CSRF tokens (unless the criticality exceeds CVSS level 5)
Self-XSS
The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
Reports from automated tools or scans without explanatory documentation
Social engineering targeting individuals or entities of the organisation
Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
Bots, spam, bulk registration
Submission of best practices that do not directly result in an exploitable vulnerability (e.g., certificate pinning, missing security headers)
Use of vulnerable and "weak" cipher suites/ciphers
Missing Rate limiting without further security impact
This program no longer accepts HTML injection with out serious impact

Cost control

The program is suspended when the set cost limit is reached.

Scope

The following services and applications may be tested. All other targets and third party services not listed here are not in scope. Especially Metabase, Matomo, Stripe, PayPal, PostFinance, Mailchimp, Mandrill and other 3rd party software not in scope. If not listed otherwise source code can be found at https://github.com/republik/plattform.

republik.ch
Main Website
publikator.republik.ch
CMS
admin.republik.ch
Admin-Tool
assets.republik.ch
Assets-Server
api.republik.ch
API / Backend
Android app.republik
Source code: https://github.com/orbiting/app
IOS ch.republik
Source code: https://github.com/orbiting/app

Verfahren

Request access to this private bug bounty program
Start looking for vulnerabilities, respecting the definitions in this program (scope, rules, ...).
Report found vulnerabilities and support the platform and the customer in verifying them.
Get paid for confirmed, new vulnerabilities.

Rechtlich

The organisation gives their approval for Friendly Hackers to use hacking methods based on the specified bug bounty program. Due to this consent, the criminal liability criterion of unauthorized use and thus the criminal liability of the Friendly Hackers with regard to the elements of crime in Art. 143 StGB (unauthorized data acquisition) and Art. 143bis StGB (unauthorized intrusion into a data processing system) does not apply.

Belohnungsstufen

Schweregrad	Belohnung
Critical	CHF 2000-3000
High	CHF 1000-2000
Medium	CHF 500-1000
Low	CHF 200-500