Bug Bounty programme

At Bencompare our goal is to make your contracts clear. Because of this, we have a lot of confidential information. We want to offer our users an environment that is as safe as possible. That is why we have started the Bug Bounty program.

Conditions

This Bug Bounty program is limited to the Bencompare app and its system.

  • Bencompare’s current mobile app for iOS iOS and Android.
  • Bencompare’s API

The static site of Bencompare does not fall into the scope.

Be considered for a reward

In order to be considered for a reward, it’s important that you:

  • are the first to let us know about the vulnerability;
  • send us an informative description of the vulnerability, together with a schedule for reproducing the vulnerability. Add screenshots of the concept code if necessary;
  • do not share the vulnerability with others before we have solved the issue;
  • have worked carefully with the discovery of the vulnerability. Test on your own account(s) and do not try to get to other users’ data or change it.
  • do not take advantage of a security problem you have discovered

Prohibited are:

  • brute force attacks;
  • social engineering;
  • Use of already registered vulnerabilities in external systems, for which there is not yet a solution.

Our security team answers all vulnerability reports within 30 days (usually sooner).

Rewards

Our security team answers the reports on the basis of the urgency of the vulnerability. We pay more for the discovery of bugs that are unique and difficult to find. We do not work with a maximal compensation so that creatively found, serious bugs can receive a higher reward. Our minimum reward is €100.

Weakness Minimal
External code execution on the server
(e.g. entering commands)		 5 000 EUROS
Unrestricted access to the data system 5 000 EUROS
Access to user data (e.g. passwords) 2 500 EUROS
Bypassing of security measures 1 000 EUROS
Access to trusted information from third parties (e.g. addresses, phone numbers, etc.) 1 000 EUROS

Additional conditions

  • we reserve the right to cancel or make changes to this program at any point;
  • you can donate a premium to a recognized charity (subject to approval from Benergy), and we will double the amount of premium
  • placing content in the Bencompare app via content injection is not eligible unless you can clearly demonstrate a significant risk

By sending vulnerability reports you are agreeing to the aforementioned rules. Send your report to:

bugbounty@bencompare.com

You can use our public PGP key.

Your Bencompare Security Team