Crebber's Bug Bounty Program

Crebber's Bug Bounty Program

People can perform globally to identify the bugs for the further improvement of any project through bug bounty program and be a part of the team! 

 

Reporting weaknesses in our IT systems

Crebber Security Team is committed to protecting our customers. As part of this commitment, we invite security researchers to help protect Crebber and its Users by proactively identifying security vulnerabilities via our bug bounty program. We work hard every day to maintain and improve our systems and processes so that our customers can process safely online at all times. However, should you find a weakness in one of our IT systems, we would appreciate your help.

 

Security Reporting

What you can report: security@crebber.com

You can report any number of weaknesses in our IT systems. If you spot a weakness, please contact us as soon as possible. Examples are:

  • Cross-Site Scripting vulnerabilities (i.e. Stored, Reflected);
  • SQL Injection vulnerabilities;
  • Encryption weaknesses;
  • Remote Code Execution;
  • Authentication Bypass, Unauthorized data access;
  • XML External Entity;
  • S3 Bucket Upload;
  • Server-Side Request Forgery.

 

How to report a weakness:

  • Provide your IP address in the bug report. This will be kept private for tracking your testing activities and to review the logs from our side.
  • You can report weaknesses to us by email: responsible.disclosure@nl.abnamro.com. Please be sure to encrypt your message with this PGP key to prevent information from being intercepted by criminals. State concisely in your email what weakness(es) you have found. We will take action immediately.
  • Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can take into account that the notification will be received by specialists.
  • We will not accept only automated scanners output.
  • Particularly include the following in your e-mail:
    • Which vulnerability;
    • The steps you undertook;
    • The entire URL;
    • Objects (as filters or entry fields) possibly involved;
    • Screen prints are highly appreciated.

What will not be accepted

  • "Self" XSS;
  • HTTP Host Header XSS without working proof-of-concept;
  • Incomplete/Missing SPF/DKIM;
  • Social Engineering attacks;
  • Denial of Service attacks.

 

What we do with your report

A team of security experts will investigate your report and will contact you within two work days to discuss the weakness, how you found it and follow-up action.

 

Your privacy

We will only use your personal details to take action based on your report. We will not share your personal details with others without your express permission.

 

Rules

Observe the rules

If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not report your offence to the authorities and will not submit a claim.
It is important for you to know, however, that the public prosecutor’s office – not Crebber Security – will decide whether or not you will be prosecuted, regardless of whether we report your offence to the authorities. We cannot promise that you will not be prosecuted if you commit a punishable offence when investigating a weakness.


The National Ministry of Cyber Security and Justice has created guidelines for reporting weaknesses in IT systems. Our rules are based on these guidelines.

 

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.

  • Secure your own systems as tightly as possible.
  • Do not use weaknesses you discover for purposes other than your own investigation.
  • Do not use social engineering to gain access to a system.
  • Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.
  • Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
  • Do not alter the system in any way.
  • Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others.
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.

 

Frequently-asked questions:

Will I receive a reward for my investigation?

Yes, Crebber Team honors and acknowledges you on this prestegious section of our system, you might receive a reward/award depending on the severity of the weaknesses you report. You are not necessarily entitled to compensation. The amount of the reward is not fixed in advance. Crebber Security determines the amount, based on the following:

  • The caution taken in your investigation
  • The quality of your report
  • The amount of potential damages prevented as a result of your report

 

Am I allowed to publicise the weaknesses I find and my investigation?

Never publicise weaknesses in our IT systems or your investigation without consulting us first. We can work together to prevent criminals from abusing your information. Consult with our security experts and give us time to solve the problem.

 

Can I report a weakness anonymously?

Yes, you can. You do not have to give us your name and contact details when you report a weakness. Please realise, however, that we will be unable to consult with you about follow-up measures, e.g. what we do about your report, further collaboration, giving you credit or a possible reward.

 

What shouldn’t I use this email address for?

The email address security@crebber.com is not intended for the following:

  • To submit complaints about products or services
  • To submit questions or complaints about the availability of the website, mobile banking or Internet Banking
  • To report problems with ATMs or payment terminals
  • To report fraud or suspicion of fraud
  • To report phony emails or phishing emails
  • To report viruses

 

Information for reporters

Please note that we are currently backfilling this page with reporter information. If you have reported a vulnerability which has been accepted and your details are not here already but you would like them to be, please contact security@crebber.com  and include the reference number you were provided with along with the name/handle and a link to a social media account if you wish that to appear here.

The Crebber relies on consent to publish the personal information of researchers online. We will include a link to the researchers’ social media profiles, but only if the researcher asks us to do so. The researcher can withdraw their consent at any time by contacting security@crebber.com For further information about how the Crebber processes your personal information including your rights under data protection law, please see the Crebber's privacy policy.

 

 

 

Website links

Please note that we only link to security researcher social media profiles on reuest. Our trust model does not enable us to link to other websites. Currently accepted: LinkedIn, Github, Twitter, Instagram and Facebook profile links are accepted. Other social media sites will be reviewed and considered at point of request.

  • user

    1CbZ9X6pdxO

    1

    2 days ago

  • user

    pHqghUme

    1

    2 days ago

  • user

    pHqghUme

    1

    2 days ago

  • user

    pHqghUme

    1

    2 days ago

  • user

    pHqghUme

    uO0UjSED

    2 days ago

  • user

    pHqghUme

    1

    2 days ago