pharma4u GmbH Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

Our Bug Bounty program covers software vulnerabilities in services by pharma4u. See our domains in the scope of our openbugbounty.org profile.

All kind of other websites, software, applications etc. are explicitly out of the Program's scope, in particular:
- Websites not provided by pharma4u
- External websites, software, applications etc. linking to pharma4u
- External websites, software, applications etc. using pharma4us APIs
- Websites not being pharma4u Services or Non-pharma4u Services as outlined above

First Reporter Rule
A Security Researcher reporting an issue first is called the First Reporter. Rewards for a specific vulnerability go to the First Reporter. A subsequent bug report reporting the same or similar vulnerability will not be eligible for a reward (first come first serve principle). Provided that pharma4u is already aware of a specific vulnerability at the time of a submitted bug report reporting the same or similar vulnerability as already known, pharma4u is deemed to be the First Reporter.

Testing Requirements:

pharma4u needs a documentation of the existing vulnerability. This is called a bug report. pharma4u can only accept complete bug reports sent via openbugbounty.org

A bug report is complete, if pharma4u can reproduce the bug and can assess the potential impact.

How can I make sure it is complete?

- Add as much information in your report as you can.
- Add a complete description of the bug.
- Point out the potential impact of the bug.
- Provide guidance to reproduce the bug (proof of concept).

In general, every bug in a pharma4u Service leading to a relevant vulnerability could be eligible for a reward. The focus lies on:

- Leakage of data
- Classification of endangered data

In the following you find some examples for security issues which may be eligible for a reward in accordance with this Program:

- Leakage of data
- Getting malicious access to user accounts
- Code injection
- Cross-site scripting (XSS)
- Cross-site request forgery (‎CSRF)
- Remote code execution
- Privilege escalation
- Clickjacking
- Authentication bypass

Possible Awards:

pharma4u grants rewards (also called bounty and/or bounties) for reporting software vulnerabilities in accordance with this Program. rewards may be granted if the following requirements are collectively fulfilled:

- Responsible Investigation
- Complete Bug Report
- Eligibility of Vulnerability
- Responsible Disclosure

If just one of the above requirements is not fulfilled, this has to be assessed as a non-compliance with this Program.

pharma4u decides at its sole and own discretion whether a reward is granted and the exact amount of such bounty.
Rewards are paid out via gifts from online shops (e.g. Amazon). We will ask you for a wish on amazon. Feel free send us your Amazon wish list when reporting a bug.

The reward that can be expected for your bug report depends on the severity of the reported vulnerability. The table below will give you a general guideline what you can expect for your investigation efforts:
Vulnerability Value of gift (EUR)
Critical 100 (or more dependent on severeness of vulnerability)
High 50
Medium 25
Low 5

The above mentioned amounts are minimum bounties for each level of vulnerability. A concrete bounty may excess the minimum amount based on the severity of the vulnerability and/or the Security Researcher's technique and reporting quality. The granted reward will be determined by the impact on the pharma4u Service.

Previous granted bounty amounts are not considered precedent for future bounty amounts.

Special Notes:

Please only report vulnerabilities via openbugbounty.org.