Indications of Vulnerabilities: CCI BugBounty Program (IHK-BugBounty Programm)
The Chamber of Commerce and Industry for Munich and Upper Bavaria (CCI) offers a wide range of digital services. The security of data and processes is of the highest priority. However, despite our best efforts, these digital services may still contain vulnerabilities that are not yet known to the CCI. Therefore, we are very grateful for any indications of Vulnerabilities!
Please note: Searching for vulnerabilities may possibly constitute a criminal offense. To avoid legal difficulties, we kindly ask you to adhere to the following rules.
Overview of the CCI BugBounty Program
1. What is the CCI BugBounty Program?
"BugBounty programs" are important tools for improving the security of digital services, as they encourage a community of "ethical hackers" or security researchers to help uncover potential vulnerabilities before they can be exploited by malicious actors.
The "CCI BugBounty Program" is an initiative by the CCI to reward individuals who uncover and report errors, security vulnerabilities or "bugs" in the CCI's digital services.
The term "Bug Bounty" means "bounty for bugs". The reward, also known as "bounty", varies based on the severity and type of the uncovered failure. Anyone who adheres to the rules stated below can participate in the CCI BugBounty Program.
2. Which digital services are included in the CCI Bug Bounty Program?
The following domains (including any existing subdomains) are relevant for the Bug Bounty Program of the CCI:
Some of the above mentioned domains redirect to websites not administered by the CCI. In these cases, the CCI BugBounty program only covers the domain managed by the CCI, but not the online service (e.g. basisbox.de).
Please note that digital services not included in the above list are not part of the CCI BugBounty Program. Any Bug Hunting within those domains may potentially be considered unlawful and could be penalized accordingly.
3. Rules for the CCI BugBounty Program!
Participation in the CCI BugBounty Program requires strict adherence to the following general rule: No harm must be done to the CCI due to activities within the framework of the CCI BugBounty Program. This means:
- While searching for vulnerabilities, the availability, confidentiality, and integrity of the data and processes of the CCI must not be compromised. Therefore, please do not execute any phishing mailing, DDoS, or brute force tests, etc. Do not change any data.
- No backdoors or similar programs, which allow permament access, must be installed.
- Identified vulnerabilities will be published only after they have been rectified by the CCI.
Furthermore, the following rules apply:
- Only the initial report of a vulnerability is eligible for a bug bounty payout.
- Current and former employees of the CCI, as well as service providers and suppliers, are not eligible to participate in the BugBounty Program.
- The CCI determines the payout amount (see 4.). A payout can only be made if the participant in the CCI BugBounty Program provides an appropriate invoice that complies with the applicable sales taxation.
4. This is how you can send us a vulnerability report
When making contact, please provide us with the following information:
- Exact domain on which you found the vulnerability.
- As many details as possible, so we can reproduce the vulnerability, facilitate our analysis and thus speed up the payout of the reward. For example, the IP number from which the tests were carried out, proof-of-concept sketches etc.
Please contact us via e-mail: firstname.lastname@example.org
5. What does the CCI do with vulnerability reports?
The submitted vulnerability report is evaluated by the CCI and classified into a category of criticality, which is determined by its potential for danger. Guidance is provided by the „Common Vulnerability Scoring System Calculator“, which can be used to categorize vulnerability reports.
|CVSS-Score||0.1 - 3.9||4.0 - 6.9||7.0 - 8.9||9.0 - 10.0|
|BugBounty (Net amount before sales tax)||up to 100 €||100 – 500 €||500 – 1.000 €||over 1.000 €|
In this regard, the CCI is particularly interested in vulnerabilities that allow unauthorized individuals to access, modify, or delete confidential data.
Examples of relevant vulnerabilities can be found at OWASP, including the following:
The following submissions are not relevant for the BugBounty program and are not eligible for a Bounty payout:
- General accessibility of digital services
- Phishing emails and similar threats, especially those that abuse the email addresses of the CCI
- Vulnerabilities without proof of exploitability
- Vulnerabilities that only affect browsers which are outdated or only have limited security features
- Reports generated by scanners that do not provide specific and fully traceable references to a vulnerability
- Unused best practices in headers, SSL/TLS, DNS