Threema is a Swiss instant messenger that was built from the ground up with security and data privacy in mind.
For one thing, state-of-the-art end-to-end encryption prevents anyone other than the intended recipient (including the service provider) from reading the messages users exchange. For another thing, it is not required to provide any personal information (such as a phone number or email address) to use Threema. In other words, the service can be used completely anonymously. Finally, Threema adheres to the Privacy by Design principles, which is to say that only as little metadata as possible is generated, and it is only stored for the shortest amount of time possible.
The service provider hosts its own servers in Switzerland.
Threema operates various services (Platforms, Services). Only services from explicitly listed domains/URLs are in the scope of the Bug Bounty Program. All other domains or explicitly listed services are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement.
By participating in this Bug Bounty Program, Friendly Hackers undertake to document information about any vulnerability found exclusively via the platform’s designated reporting form and not in any other places. They also agree to keep the found vulnerability secret for 90 days after reporting it on the platform. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of a Bug Bounty Program and to delete any local copies afterwards and not to distribute them further.
In participating in the program, ethical hackers agree not to use methods that would adversely affect the tested applications or their users. These methods include:
- Social engineering
- Denial-of-service attacks or other brute force attacks
- Physical attacks
In addition to the prohibited hacking methods listed above, Friendly Hackers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform’s or Service’s operations.
Any design or implementation problem can be reported that is reproducible and affects security.
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference
- Remote Code Execution (RCE) - Injection Flaws
- Information Leakage an Improper Error Handling
- Unauthorized access to properties or accounts
- Data/information leaks
- Possibility of data/information exfiltration
- Backdoors that can be actively exploited
- Potential for unauthorized system use
The following vulnerabilities and forms of documentation are generally not wanted and will be rejected:
- Attacks that require physical access to a user’s device or unlikely user interaction
- Forms with missing CSRF tokens (unless the criticality exceeds CVSS level 5)
- The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
- Reports from automated tools or scans without explanatory documentation
- Social engineering targeting individuals or entities of the organization
- Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
- Bots, spam, bulk registration
- Submission of best practices that do not directly result in an exploitable vulnerability (e.g., missing security headers, TLS cipher suite selection, etc.)
- Missing rate limiting without significant security impact
- Vulnerabilities affecting users of outdated or unsupported browsers, platforms, or operating systems
- Vulnerabilities affecting rooted devices or devices infected by malware
- Vulnerabilities caused by manipulated versions of our apps
- Recently disclosed 0-day vulnerabilities in libraries, components, and platforms
- Design decisions that are publicly documented (e.g., in the Cryptography Whitepaper)
The classification is verified using the Common Vulnerability Scoring System (CVSS, see first.org).
- Low: 0.1 – 3.9
- Medium: 4.0 – 6.9
- High: 7.0 – 8.9
- Critical: 9.0 - 10
The program is suspended when the set cost limit is reached.
The following services and applications may be tested. All other targets and third party services not listed here are not in scope.
- iOS App
Directory Server / ID Service
Work Cockpit & Backend
Broadcast Cockpit & Backend
Gateway Cockpit & Backend
- Start looking for vulnerabilities, respecting the definitions in this program (scope, rules, ...).
- Report found vulnerabilities and support the platform and the customer in verifying them.
- Get paid for confirmed, new vulnerabilities.
The organization gives its approval for Friendly Hackers to use hacking methods based on the specified bug bounty program. Due to this consent, the criminal liability criterion of unauthorized use and thus the criminal liability of the Friendly Hackers with regard to the elements of crime in Art. 143 StGB (unauthorized data acquisition) and Art. 143bis StGB (unauthorized intrusion into a data processing system) does not apply.