The Ministry of Regional Development of the Czech Republic is a part of the system of central government authorities of the Czech Republic in the fields delineated by relevant legal documents. It plays an important role within the State administration through the extent of its powers, competences and responsibility for the management of financial resources.

Program description

Welcome to Ministry of Regional Development's bug bounty program. We take the security of our users seriously. We believe that working with security researchers and white hackers is crucial in identifying weaknesses in any technology. If you believe you have discovered a potential security vulnerability in our products, please help us fix it as quickly as possible by reporting your findings to us.

General rules

• Testing is only authorized on the targets listed as Testing scope.
• Any domain/property/database/IP address of Ministry of Regional Development not listed in the Testing scope section is strictly out of scope.
• Avoid privacy violations, destruction of data, and interruption or degradation of Ministry of Regional Development’s services.
• Only interact with accounts you own.
• Findings must be exact, and the Bug Bounty Reports must contain the steps to follow to reproduce the issue. Attachments such as screenshots or Proof of Concept Code are highly recommended.
• Rewards or recognition will not be awarded if our security team cannot reproduce and verify a Finding.
• You must be the first person to report a valid Finding ('duplicate' reports will not be rewarded).
• The use of not allowed Third-Party Systems, Third-Party Software and/or automated scanners are prohibited.
• Ministry of Regional Development requests that Bounty Hunters do not perform automated/scripted testing of web forms, especially "Contact Us" forms.
• If you find the same Vulnerability several times, please report only one Finding. Multiple Vulnerabilities caused by one underlying issue will be awarded one bounty.
• You must not be a former or current employee of Ministry of Regional Development or one of its subcontractors.

Out of scope issues

• Hypothetical flaw or best practices without exploitable POC and concrete attack scenario
• Reports from automated tools or scans
• Un-reproducible issues
• Use of a known-vulnerable library (without evidence of exploitability)
• Brute force attacks
• Sell/ransom user information taken from password reuse or other attacks
• Social engineering attacks (including phishing)
• Finding legacy credentials on our Github repositories (that are no longer in use or were never valid to begin with)
• User enumeration attacks
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
• Homograph Attack
• Password and account recovery policies, such as reset link expiration or password complexity
• Persistent login cookie weaknesses
• Login, logout, unauthenticated or low-value CSRF Web Sites / Applications
• Clickjacking on static website
• Disclosure of known public files or directories
• Errors thrown by web service (e.g. nginx) when the request were invalid / fuzzing
• Extension manipulation without any evidence of vulnerability (Attachments)
• Host injection, except if you can successfully forge a wrong URL or compromise something using it
• HttpOnly and Secure cookie flags as well as other missing cookie flags
• Missing security-related HTTP headers which do not lead directly to a vulnerability HTTPS configurations derivations from "state of the art" (such as HSTS settings, Secure flag for cookies, "weak" TLS ciphers, etc)
• Lack of context on user interaction
• Vulnerabilities affecting users of outdated or unpatched browsers and platforms
• UI redressing
• XSS attacks via POST requests or self XSS (unless you provide a PoC that show impact on other our customers)
• XSS or XSRF that requires header injection,
• Missing autocomplete attributes
• Missing cookie flags
• Massive automated actions on the platform through robots/crawling (except if it gathers sensitive information)
• CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
• RTLO and related issues
• Stack traces or path disclosure Application Servers / API
• Content spoofing / text injection
• Errors thrown by web service (e.g. nginx) when the request were invalid / fuzzing
• Extension manipulation without any evidence of vulnerability (Attachments)
• Host injection, except if you can successfully forge a wrong URL or compromise something using it
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Vulnerabilities affecting users of outdated or unpatched browsers and platforms
• Stack traces or path disclosure
• Presence of autocomplete attribute on web forms
• Presence/absence of SPF/DMARC records Email
• Concerns related to email domain authentication
• Email configuration data
• Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
• Reports of spam Others
• Absence of rate-limiting
• Any issues regarding single session features/management
• Third-party provider's software vulnerabilities
• Denial of service attacks
• Information disclosure
• Premium phone numbers attacks
• Recently disclosed 0-day vulnerabilities
• Software version disclosure
• Technical information disclosure without impact

Incident Handling and Response

You, as Bounty Hunter must report any suspicious, unintentional or unwanted activities and security events you may find in the environment to [email protected].

Ministry of Regional Development reserves the right to terminate and/or suspend the Program or revoke any Bounty Hunter’s authorization if a security incident occurs in the environment.

Public Disclosure

Before disclosing an issue publicly, we require that you first request permission from us (using “[email protected]” email address). Ministry of Regional Development will process requests for public disclosure on a per report basis. Any Bounty Hunter found publicly disclosing reported vulnerabilities without Ministry of Regional Development’s written consent will be sanctioned.

Rewards

Ministry of Regional Development will determine, in its sole discretion, whether Reward will be awarded. Our Rewards are majorly Finding severity based. Therefore, we ask you to evaluate a Vulnerability's impact carefully. Vulnerability severity shall be determined by using the MITRE CAPEC method (https://capec.mitre.org/).

You will not receive a reward, or your finding submission might be rejected if:

• Reports about theoretical damage.
• Out of date software without proven exploitable risks.
• Attacks requiring unrealistic user interaction.
• All reports without proof-of-concept (POC).
• All reports without proven security impact.

Failure to comply with Program Rules can be sanctioned by the exclusion from the Bug Bounty Program or, even worse (legal actions against you). Failure to comply with applicable laws and the scope of permission may result in criminal prosecution.