We are excited to announce our Bug Bounty Program, aimed at identifying vulnerabilities in our application and infrastructure.

This program aims to expose security problems in our website, our apps and world-facing APIs, exploitable with a Crisp account or without an account at all. Broadly speaking, this includes any improper manipulation of our business logic and backend software.

Some examples:

• Any manipulation of pricing/discount logic that allows for getting substantially discounted or free orders.
• Leaks of other users' data than the user accessing the app.
• The ability to claim invite/promotional codes improperly or multiple times.
• The ability to login as another customer without having credentials for that customer.
• Any SQL injection attacks achievable.
• Any path/filename manipulation attacks that allow backend files to be read or overwritten.
• XSS attacks on crisp.nl or in the app.
• Being able to login on crisp.kitchen.
• Remote code execution.

We commit to responding within 1 week to any identified problem(s).

🤺 Rules of engagement

• Always use the dedicated for-hackers. subdomains.
  • Behavior will be identical as without the subdomains, but this will prevent us being paged out of bed because of anomalous telemetry 🙏.
• Be considerate with request rates.
  • < 3 / second for automated tooling
• Use hacker somewhere in your email address when creating an account, eg [email protected].
• Send your submission via email to [email protected]
  • Be sure to include a complete report, where possible supported by screen recordings.

🕸️ Properties in scope

• for-hackers.crisp.nl