Share via email
Some fields are missing
send eMail

Bug bounty programme terms and conditions

We place great value on the security of our users and appreciate your help in improving our products and services.

Please submit detailed reports with reproducible steps. If the report is not detailed enough to reproduce the problem, you will not be entitled to a reward.

As an ethical hacker, you agree that

  • Access to customer data is strictly prohibited
  • Access to Bürkert’s internal data is strictly prohibited
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited
  • One report must be submitted per vulnerability – unless you need to chain vulnerabilities to demonstrate the impact
  • Only one bounty will be paid for multiple vulnerabilities caused by one underlying issue
  • In the case of duplicates, only the first report received will be rewarded (provided it can be fully reproduced)
  • You will make every effort to avoid data breaches, data destruction and disruptions or impairments to our service
  • You will only interact with accounts that you own or for which you have the explicit permission of the account holder
  • Results consistent with findings from SSL/TLS test sites, CAA reports and security score sites are not eligible for bug bounties

Bürkert intends to pay the maximum permissible bounty for each report. We recommend that hackers contact us with questions before and after reporting a hack to avoid collisions.

When reporting vulnerabilities, please take into account 

  1. The attack scenario/exploitability 
  2. The impact of the flaw on security

Vulnerabilities that will not be taken into account / exclusions

  • Clickjacking on pages without sensitive actions
  • Cross-site request forgery (CSRF) on unauthenticated forms or forms without sensitive actions
  • Known vulnerable libraries without a working Proof of Concept
  • Any activity that could disrupt our service (DoS)
  • Content spoofing and text injection issues without indicating an attack vector/without the ability to modify HTML/CSS
  • Rate limiting or brute force issues on unauthenticated endpoints
  • Lack of best practices regarding the Content Security Policy
  • Lack of email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Lack of best practices regarding DNSSEC
  • Lack of best practices regarding MTA-STS
  • Lack of best practices regarding CAA
  • Vulnerabilities that only affect users of outdated or unpatched browsers
  • Disclosure of software version / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Public zero-day vulnerabilities for which an official patch has been available for less than one month will be evaluated on a case-by-case basis.
  • Tabnabbing
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues requiring an unlikely user interaction.

You can send your report directly to information-security@burkert.com.