[{"id":3773072,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 5 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Targets\n\nWe invite you to identify and report security vulnerabilities in our core services, specifically our primary websites and the associated payment gateway, Kronor. The following targets are within the scope of this program:\n\nCore applications: these are our websites and companion mobile applications.\n\n1. Web applications:\n   1. `www.boozt.com`\n   2. `www.booztlet.com`\n\n2. Mobile applications:\n   1. `com.boozt.app` / `com.boozt`\n   2. `com.boozt.booztlet` / `com.booztlet`\n\nKronor, a payment gateway serving merchants in the nordics.\n\n1. `https://kronor.io/v1/graphql`\n2. `https://payment-gateway.kronor.io`\n3. `https://kronor.io/cde/gql`\n\nWe are interested in both isolated vulnerabilities in these endpoints and issues related to the integration of these endpoints with our websites and mobile applications.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n**The following are prohibited:**\n\n* Social engineering (phishing, vishing, smishing).\n* Public or third-party disclosure before resolution.\n\n**Eligibility Requirements:**\n\n* First reporter of a specific vulnerability.\n* Clear textual description and reproduction steps.\n* Responsible disclosure.\n* Testing only on owned accounts.\n\nIn addition to the above consideration, you are not eligible for the program if you are a current or former Boozt Group employee or consultant.\n\n# Out of Scope\n\nPlease note that any vulnerabilities found in third-party libraries or frameworks used by any of the targets are not in scope for this program, unless they directly impact the security of the target applications.\n\n## The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Issues that can only be leveraged to attack one's own account.\n* Vulnerabilities allowing to obtain infinite \"Boozter\" points or circumventing validation on the amount of points when purchasing a \"Boozter\"\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### System and Infrastructure Credentials\n\nThe disclosure of platform API keys, infrastructure tokens, or system credentials will generally be assessed as Low severity, unless the report demonstrates systemic impact, such as:\n\n* Mass unauthorized access to customer data.\n* Financial or transactional manipulation, such as bypassing payment controls or altering pricing.\n* Bypass of platform-level authentication or authorization controls.\n\nCredentials that are expired, revoked, environment-restricted, or otherwise non-exploitable will generally be considered Informational or Out of Scope.\n\n### User Account Credentials and Third-Party Leaks\n\nReports involving customer credentials obtained from third-party breaches, malware stealer logs, credential stuffing lists, public dumps, or similar sources are generally Out of Scope, unless they demonstrate a large-scale, coordinated threat to our customer base and are directly relevant to Boozt systems.\n\nWe are only interested in third-party credential leaks when the dataset is massive in scale and contains a substantial number of active, verified accounts, or when the source of the data breach is directly attributable to Boozt.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n* Issues on Android apps affecting Webviews.\n\n### Jailbroken or rooted devices\nAny issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.\n\n# Changelog\n\nWe will keep this section regularly updated with changes to our assets that might have relevant security implications.\n\n## Q2 2025\n* New OAuth based authentication flow for mobile applications\n* Tighter integration with Keychain for secrets in iOS applications\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-24T07:02:53.633Z"},{"id":3764170,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 5 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Targets\n\nWe invite you to identify and report security vulnerabilities in our core services, specifically our primary websites and the associated payment gateway, Kronor. The following targets are within the scope of this program:\n\nCore applications: these are our websites and companion mobile applications.\n\n1. Web applications:\n   1. `www.boozt.com`\n   2. `www.booztlet.com`\n\n2. Mobile applications:\n   1. `com.boozt.app` / `com.boozt`\n   2. `com.boozt.booztlet` / `com.booztlet`\n\nKronor, a payment gateway serving merchants in the nordics.\n\n1. `https://kronor.io/v1/graphql`\n2. `https://payment-gateway.kronor.io`\n3. `https://kronor.io/cde/gql`\n\nWe are interested in both isolated vulnerabilities in these endpoints and issues related to the integration of these endpoints with our websites and mobile applications.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n**The following are prohibited:**\n\n* Social engineering (phishing, vishing, smishing).\n* Public or third-party disclosure before resolution.\n\n**Eligibility Requirements:**\n\n* First reporter of a specific vulnerability.\n* Clear textual description and reproduction steps.\n* Responsible disclosure.\n* Testing only on owned accounts.\n\nIn addition to the above consideration, you are not eligible for the program if you are a current or former Boozt Group employee or consultant.\n\n# Out of Scope\n\nPlease note that any vulnerabilities found in third-party libraries or frameworks used by any of the targets are not in scope for this program, unless they directly impact the security of the target applications.\n\n## The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Issues that can only be leveraged to attack one's own account.\n* Vulnerabilities allowing to obtain infinite \"Boozter\" points or circumventing validation on the amount of points when purchasing a \"Boozter\"\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n* Issues on Android apps affecting Webviews.\n\n### Jailbroken or rooted devices\nAny issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.\n\n# Changelog\n\nWe will keep this section regularly updated with changes to our assets that might have relevant security implications.\n\n## Q2 2025\n* New OAuth based authentication flow for mobile applications\n* Tighter integration with Keychain for secrets in iOS applications\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-06T11:46:39.680Z"},{"id":3752476,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 5 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Targets\n\nWe invite you to identify and report security vulnerabilities in our core services, specifically our primary websites and the associated payment gateway, Kronor. The following targets are within the scope of this program:\n\nCore applications: these are our websites and companion mobile applications.\n\n1. Web applications:\n   1. `www.boozt.com`\n   2. `www.booztlet.com`\n\n2. Mobile applications:\n   1. `com.boozt.app` / `com.boozt`\n   2. `com.boozt.booztlet` / `com.booztlet`\n\nKronor, a payment gateway serving merchants in the nordics.\n\n1. `https://kronor.io/v1/graphql`\n2. `https://payment-gateway.kronor.io`\n3. `https://kronor.io/cde/gql`\n\nWe are interested in both isolated vulnerabilities in these endpoints and issues related to the integration of these endpoints with our websites and mobile applications.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n**The following are prohibited:**\n\n* Social engineering (phishing, vishing, smishing).\n* Public or third-party disclosure before resolution.\n\n**Eligibility Requirements:**\n\n* First reporter of a specific vulnerability.\n* Clear textual description and reproduction steps.\n* Responsible disclosure.\n* Testing only on owned accounts.\n\nIn addition to the above consideration, you are not eligible for the program if you are a current or former Boozt Group employee or consultant.\n\n# Out of Scope\n\nPlease note that any vulnerabilities found in third-party libraries or frameworks used by any of the targets are not in scope for this program, unless they directly impact the security of the target applications.\n\n## The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Issues that can only be leveraged to attack one's own account.\n* Vulnerabilities allowing to obtain infinite \"Boozter\" points or circumventing validation on the amount of points when purchasing a \"Boozter\"\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n* Issues on Android apps affecting Webviews.\n\n### Jailbroken or rooted devices\nAny issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.\n\n# Changelog\n\nWe will keep this section regularly updated with changes to our assets that might have relevant security implications.\n\n## Q1 2024\n* Improved search functionality, affecting both Boozt and Booztlet assets, webshops and mobile applications alike.\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-27T10:48:12.029Z"},{"id":3746720,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 5 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Targets\n\nWe invite you to identify and report security vulnerabilities in our core services, specifically our primary websites and the associated payment gateway, Kronor. The following targets are within the scope of this program:\n\nCore applications: these are our websites and companion mobile applications.\n\n1. Web applications:\n   1. `www.boozt.com`\n   2. `www.booztlet.com`\n\n2. Mobile applications:\n   1. `com.boozt.app` / `com.boozt`\n   2. `com.boozt.booztlet` / `com.booztlet`\n\nKronor, a payment gateway serving merchants in the nordics.\n\n1. `https://kronor.io/v1/graphql`\n2. `https://payment-gateway.kronor.io`\n3. `https://kronor.io/cde/gql`\n\nWe are interested in both isolated vulnerabilities in these endpoints and issues related to the integration of these endpoints with our websites and mobile applications.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope\n\nPlease note that any vulnerabilities found in third-party libraries or frameworks used by any of the targets are not in scope for this program, unless they directly impact the security of the target applications.\n\n## The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Issues that can only be leveraged to attack one's own account.\n* Vulnerabilities allowing to obtain infinite \"Boozter\" points or circumventing validation on the amount of points when purchasing a \"Boozter\"\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n* Issues on Android apps that can be traced back to Webviews with Javascript enabled.\n\n### Jailbroken or rooted devices\nAny issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.\n\n# Changelog\n\nWe will keep this section regularly updated with changes to our assets that might have relevant security implications.\n\n## Q1 2024\n* Improved search functionality, affecting both Boozt and Booztlet assets, webshops and mobile applications alike.\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-17T10:12:55.672Z"},{"id":3744395,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 5 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope\n\n### The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Issues that can only be leveraged to attack one's own account.\n* Vulnerabilities allowing to obtain infinite \"Boozter\" points or circumventing validation on the amount of points when purchasing a \"Boozter\"\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n* Issues on Android apps that can be traced back to Webviews with Javascript enabled.\n\n### Jailbroken or rooted devices\nAny issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.\n\n# Changelog\n\nWe will keep this section regularly updated with changes to our assets that might have relevant security implications.\n\n### Q1 2024\n* Improved search functionality, affecting both Boozt and Booztlet assets, webshops and mobile applications alike.\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-13T09:44:20.339Z"},{"id":3736535,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 5 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope\n\n### The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Issues that can only be leveraged to attack one's own account.\n* Vulnerabilities allowing to obtain infinite \"Boozter\" points or circumventing validation on the amount of points when purchasing a \"Boozter\"\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n\n### Jailbroken or rooted devices\nAny issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.\n\n# Changelog\n\nWe will keep this section regularly updated with changes to our assets that might have relevant security implications.\n\n### Q1 2024\n* Improved search functionality, affecting both Boozt and Booztlet assets, webshops and mobile applications alike.\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-19T08:42:38.724Z"},{"id":3724191,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 5 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope\n\n### The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Issues that can only be leveraged to attack one's own account.\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n\n### Jailbroken or rooted devices\nAny issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.\n\n# Changelog\n\nWe will keep this section regularly updated with changes to our assets that might have relevant security implications.\n\n### Q1 2024\n* Improved search functionality, affecting both Boozt and Booztlet assets, webshops and mobile applications alike.\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-26T09:04:44.576Z"},{"id":3723570,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 2 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope\n\n### The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Issues that can only be leveraged to attack one's own account.\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n\n### Jailbroken or rooted devices\nAny issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.\n\n# Changelog\n\nWe will keep this section regularly updated with changes to our assets that might have relevant security implications.\n\n### Q1 2024\n* Improved search functionality, affecting both Boozt and Booztlet assets, webshops and mobile applications alike.\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-16T08:45:31.922Z"},{"id":3714073,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 2 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope\n\n### The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n\n### Jailbroken/rooted devices\nAny issue in our mobile applications that can only be exploited on a rooted or jailbroken device will be considered out of scope.\n\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-13T10:17:21.744Z"},{"id":3712040,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 2 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope\n\n### The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/favorites` endpoint.\n* Issues related to mobile application authentication tokens.\n* Brute-force issues, in particular with authentication endpoints. \n\n### Jailbroken/rooted devices\nAny issue in our mobile applications that can only be exploited on a rooted or jailbroken device will be considered out of scope.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-02T14:46:00.630Z"},{"id":3705302,"new_policy":"Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.\n\n# Response Targets\nBoozt will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response   | SLA in business days               |\n|--------------------|------------------------------------|\n| First Response     | 2 days                             |\n| Time to Triage     | 2 days                             |\n| Time to Bounty     | 14 days                            |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\nFollow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# How we determine severity of a report\nAfter a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.\n\nReports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.\n\n# Program Rules\n\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers. \n* When duplicates occur, we only award the first fully reproducible report that we receive.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* If you require an account with our services to showcase a vulnerability, please use your `@wearehackerone.com` email when registering.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope\n\n### The following issues are considered out of scope:\n\n* Best practice concerns: evidence of a security issue is required.\n* Clickjacking on pages with no sensitive actions.\n* Attacks requiring MITM or physical access to a customer's device.\n* Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.\n* CSV injection without demonstrating a vulnerability.\n* Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).\n* Rate limiting (e.g. reset password, login, etc.) or bruteforce issues on non-authentication endpoints.\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).\n* Software version disclosure.\n* Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Sessions being hijacked because of insecure protocol use.\n* Reports from automated tools or scans.\n* Spam techniques.\n* Code obfuscation in mobile applications.\n* Issues relating to password policies.\n* Race conditions that don't compromise the security of Boozt or our customers.\n* Issues that require unlikely customer interaction.\n* Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.\n* User enumeration vulnerabilities.\n\n### Known issues\n\nThe following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.\n\n* Cross-Site Request Forgery (CSRF) vulnerabilities on the `/api/me/recent` and `/api/me/favorites` endpoints.\n* Issues related to mobile application authentication tokens.\n\n### Jailbroken/rooted devices\nAny issue in our mobile applications that can only be exploited on a rooted or jailbroken device will be considered out of scope.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Boozt and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-17T08:52:54.667Z"},{"id":3705301,"new_policy":"Boozt Fashion AB looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nBoozt Fashion AB will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Out of Scope \n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Best practices concerns (evidence of a security issue required)\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on authenticated or unauthenticated forms likewise.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting (e.g. reset password, login, etc.) or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Contact form and Messenger contact under Customer Support\n* Sessions not being invalidated when a best practice says so\n* Sessions being hijacked because of HTTP\n* Reports from automated tools or scans\n* Spam techniques, including SPF and DKIM issues\n* Code Obfuscation in Mobile Apps\n* Issues relating to Password Policy\n* Race conditions that don't compromise the security of Boozt or our customers\n* Version number information disclosure\n* Non-secure FTP connections\n* Issues that require unlikely user interaction\n* Issues related to APP authentication tokens: we are actively working on fixing token expiration issues\n* Issues related to hardcoded vendor tokens on APPs don't compromise the security of Boozt or our customers\n* User enumeration vulnerabilities\n\n### Jailbroken/rooted devices\nVulnerabilities affecting Mobile Apps on jailbroken or rooted devices will be considered out of scope unless they expose sensitive data other than the user is currently or was previously using the device.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Boozt Fashion AB and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-17T08:31:22.121Z"}]