Bug Bounty programme
At Bencompare our goal is to make your contracts clear. Because of this, we have a lot of confidential information. We want to offer our users an environment that is as safe as possible. That is why we have started the Bug Bounty program.
Conditions
This Bug Bounty program is limited to the Bencompare app and its system.
The static site of Bencompare does not fall into the scope. This also counts for ideas.bencompare.com.
Be considered for a reward
In order to be considered for a reward, it’s important that you:
- are the first to let us know about the vulnerability;
- send us an informative description of the vulnerability, together with a schedule for reproducing the vulnerability. Add screenshots of the concept code if necessary;
- do not share the vulnerability with others before we have solved the issue;
- have worked carefully with the discovery of the vulnerability. Test on your own account(s) and do not try to get to other users’ data or change it.
- do not take advantage of a security problem you have discovered
Prohibited are:
- brute force attacks;
- social engineering;
- Use of already registered vulnerabilities in external systems, for which there is not yet a solution.
Our security team answers all vulnerability reports within 30 days (usually sooner).
Rewards
Our security team answers the reports on the basis of the urgency of the vulnerability. We pay more for the discovery of bugs that are unique and difficult to find. We do not work with a maximal compensation so that creatively found, serious bugs can receive a higher reward. Our minimum reward is € 50.
Weakness | Minimal |
External code execution on the server (e.g. entering commands) |
5 000 EUROS |
Unrestricted access to the data system | 5 000 EUROS |
Access to user data (e.g. passwords) | 2 500 EUROS |
Bypassing of security measures | 1 000 EUROS |
Access to trusted information from third parties (e.g. addresses, phone numbers, etc.) | 1 000 EUROS |
Additional conditions
- we reserve the right to cancel or make changes to this program at any point;
- you can donate a premium to a recognized charity (subject to approval from Benergy), and we will double the amount of premium
- placing content in the Bencompare app via content injection is not eligible unless you can clearly demonstrate a significant risk
By sending vulnerability reports you are agreeing to the aforementioned rules. Send your report to:
bugbounty@bencompare.com
You can use our public PGP key.
Your Bencompare Security Team