Request Support  | Contact Sales

    • Bugs Program
    CoreTech Bug Bounty Program

    CoreTech working hard on security to keep service safe as possible but we know that some bugs are not discovered yet.
    If you believe you've found a security issue in the services listed in our scope (TARGET), we will work with you to resolve it promptly and ensure you are fairly rewarded for your discovery.

    Qualifying Vulnerabilities | Legend

    Min € Max € Type
    Hall of Fame Low 1-2-3-4
    Blind vulnerability, possibility to exploit the vulnerability for phishing
    150 € 300 € Medium 5-6
    Viewing or stealing by a single user (unsystematic), System slowdowns (server machine), Decrypting data, Viewing application data
    400 € 800 € High 7-8-9
    Access to sensitive data of all users, Access or theft of data of a target user or multiple users, Access to important system data
    1000 € 2000 € Critical 10
    Critical access to systems, ability to encrypt servers, major damage to society

    CoreTech may provide rewards to eligible reporters of qualifying vulnerabilities. Rewards amounts vary depending upon the severity of the vulnerability reported.
    CoreTech keeps the right to decide if the minimum severity threshold is met and whether the scope of the reported bug is actually already covered by a previously reported vulnerability. Rewards are granted entirely at the discretion of CoreTech. To qualify for a reward under this program, you should
    If the reported vulnerability, after an evaluation by the CoreTech staff, is not among the paid ones, a score that can be viewed in the hall of fame will be assigned. Upon reaching 50 CoreTech points it will allow you to redeem an economic prize worth 50 euros.

    Reward Payment

    We pay by:

    • Paypal
    • Bank Transfer

    Qualifying Vulnerabilities

    Type Description Risk level
    File Injection
    • Insertion of the vulnerable file without then the possibility of reaching it
    • The inserted file can be reached from the outside
    • The inserted file is externally executable
    • Inserted file allows various exclation
    • Inserted file allows you to insert remote consoles and / or modify the site
    • 4
    • 5
    • 8
    • 9
    • 10
    Broken Authentication
    • Reach single user user data
    • Reach sensitive data of the single user
    • Modification / deletion of single user data
    • Access to credit cards or information that can harm the user
    • Reach user data all users
    • Reach sensitive user data all users
    • Change / delete all user data
    • Access to credit cards or information that can harm all users
    • 6
    • 7
    • 7
    • 8
    • 7
    • 8
    • 8
    • 10
    Sensitive data Exposure
    • Access to all application code
    • Partial access to the application code
    • Access to confidential data of other users
    • Access to confidential data of a chosen user
    • Access to system logs
    • Access to user logs
    • Access to the logs of the chosen user
    • Various configuration
    • SQL errors
    • SQL errors with important data visualization
    • Backend language errors
    • Backend language errors with data visualization
    • Inactive or potential vulnerabilities
    • 7
    • 5
    • 6
    • 7
    • 6
    • 6
    • 6
    • 3
    • 3
    • 5
    • 2
    • 4
    • 1
    Vulnerable and Outdated Components
    • Inactive or potential vulnerabilities
    • Vulnerabilities verified in the application
    • 1
    • 5
    Command Injection
    • Ability to arbitrarily launch all commands
    • Possibility to launch only some malicious commands
    • Possibility to access all the functions of the machine
    • Blind Command Injection: Only test commands such as sleep or ping
    • 9
    • 8
    • 10
    • 4
    SQL Injection
    • Blind SQL Injection
    • Generating the SQL error
    • Possibility of escalation and access to the database
    • Ability to delete data
    • Ability to view data
    • Ability to view sensitive data
    • Possibility to modify the data
    • 4
    • 4
    • 10
    • 7
    • 7
    • 8
    • 7
    Cryptographic Failures
    • Only a decrypted data (sent to the client)
    • All data decrypted (sent to client)
    • Sensitive database data decryption
    • Display of data that should be encrypted
    • Method to decrypt all data using the app
    • 5
    • 6
    • 6
    • 4
    • 6
    Broken Access Control
    • Ability to get all users' passwords
    • Bypassing the password or username
    • Login configuration error
    • Possibility of obtaining the password of a limited group of users
    • Via single-user SQL Injection
    • Through a single-user design error
    • 9
    • 8
    • 8
    • 8
    • 6
    • 7
    XSS
    • Blind XSS
    • XSS with session theft
    • XSS with GUI modification
    • XSS with addition of texts in formats in line with the site
    • XSS with sensitive data theft
    • XSS slowdowns for the user
    • XSS with slowdowns for the systemds
    • Stored Blind XSS
    • Stored XSS with session theft
    • Stored XSS with GUI modification
    • Stored XSS with compelling text added in the gui
    • Stored XSS with sensitive data theft
    • Stored XSS slowdowns for the user
    • Stored XSS with slowdowns for the system
    • 3
    • 7
    • 3
    • 4
    • 6
    • 5
    • 5
    • 4
    • 8
    • 4
    • 5
    • 7
    • 6
    • 6
    Access to Systems
    • Read access
    • Write access
    • Possibility to encrypt
    • 8
    • 10
    • 10
    Session Hijacking
    • Single user
    • Multiple users
    • Targeted user
    • By theft
    • Through prevention
    • 6
    • 8
    • 7
    • 7
    • 8

    Eligibility and Responsible Disclosure

    We are happy to work with everyone who submits valid reports which help us improve our security.
    However, only those that meet the following eligibility requirements may receive a monetary reward:

    • You need to be the first person to report an unknown issue.
    • Any vulnerability found must be reported no later than 24 hours after discovery.
    • You are not allowed to disclose details about the vulnerability anywhere else.
    • You must avoid tests that could cause degradation or interruption of our service.
    • You must not leak, manipulate, or destroy any user data.
    • You are only allowed to test against accounts you own yourself.
    • The use of automated tools or scripted testing is not allowed.
    • You must not be a former or current CoreTech employee.
    • Send a clear textual description of the report along with steps to reproduce the vulnerability, include attachments such as screenshots or proof of concept code as necessary.
    • Disclose the vulnerability report exclusively to CoreTech


    We intend to respond and resolve reported issues as quickly as possible. This means that you will receive progress updates from us at least every five working days. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the CoreTech brand, will result in immediate disqualification from the program.

    Scopes


    Out of scope security bugs are currently not eligible for monetary rewards and will be handled as a responsible disclosure. We will do our best to give you vouchers or some cool gifts if your report provokes changes in our side.

    How to communicate the vulnerability

    To report a valid vulnerability we kindly ask you to:

    • Use the appropriate form: https://www.coretech.it/en/service/chi_siamo/contatti.php. Select as contact reason "Participate in Bug Bounty".
    • Brief description of the vulnerability found and any damage and risks associated with it.
    • Demonstration video of how the vulnerability is executed and what possible damage it can cause.

    Hall of Fame

    Nickname Reports Point
    m0m0x01d 3 /
    jsafe 1 /
    Ninebrainer 1 /
    Yogesh 1 /
    jayalakshmi 3 /
    Sohit Kumar Mahato 17 310
    BrainStorm (aka Davide Bonsangue) / /