[{"id":3754141,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n* For assets not explicitly listed in our scope, we will evaluate them on a case-by-case basis. Please note that acquisitions are considered outside of our scope. Many of these assets are not part of our core production infrastructure; therefore, we cannot guarantee the remediation of vulnerabilities. Such cases will not qualify for bounties. Since this is not our standard process, response times and the overall evaluation timeline may be longer than usual.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of SIX and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); or an RCE on an asset that doesn’t house production data.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":false,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2025-04-22T08:29:05.485Z"},{"id":3753881,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n* For assets not explicitly listed in our scope, we will evaluate them on a case-by-case basis. Please note that acquisitions are considered outside of our scope. Many of these assets are not part of our core infrastructure; therefore, we cannot guarantee the remediation of vulnerabilities. Such cases will not qualify for bounties. Since this is not our standard process, response times and the overall evaluation timeline may be longer than usual.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of SIX and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); or an RCE on an asset that doesn’t house production data.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":false,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2025-04-16T15:15:56.035Z"},{"id":3753880,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n*For assets not explicitly listed in our scope, we will evaluate them on a case-by-case basis. Please note that acquisitions are considered outside of our scope. Many of these assets are not part of our core infrastructure; therefore, we cannot guarantee the remediation of vulnerabilities. Such cases will not qualify for bounties. Since this is not our standard process, response times and the overall evaluation timeline may be longer than usual.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of SIX and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); or an RCE on an asset that doesn’t house production data.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":false,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2025-04-16T15:15:13.459Z"},{"id":3753872,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of SIX and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); or an RCE on an asset that doesn’t house production data.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":false,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2025-04-16T10:11:11.614Z"},{"id":3749428,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of SIX and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); or an RCE on an asset that doesn’t house production data.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2025-02-04T13:53:24.183Z"},{"id":3743426,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of **SIX** and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to \n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2024-11-01T09:00:21.870Z"},{"id":3743425,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of **SIX** and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to \n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2024-11-01T09:00:07.896Z"},{"id":3743423,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of **SIX** and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to \n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2024-11-01T08:45:12.255Z"},{"id":3743212,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of **SIX** and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to \n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2024-10-29T15:34:23.358Z"},{"id":3743211,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of **SIX** and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to \n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2024-10-29T15:33:52.708Z"},{"id":3743209,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n#Rewards\nOur rewards are based on the severity of a vulnerability, please refer to the bounty table at the top of this policy page. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of **SIX** and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to \n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Physical/MitM Attacks\",\"details\":\"Any attacks requiring physical access or man-in-the-middle (MitM) attacks, or control over a user’s device.\"}","{\"category\":\"Cross-Domain Referer Leakage\",\"details\":\"Out of scope unless there is a significant impact, such as the disclosure of authenticated session cookies.\"}","{\"category\":\"Cross-Domain Resource Inclusions\",\"details\":\"Vulnerabilities involving inclusion of external resources (e.g., JavaScript, images, CSS) from untrusted sources.\"}","{\"category\":\"Outdated JavaScript Libraries without PoC\",\"details\":\"Only reports with proof-of-concept (PoC) demonstrating actual exploitability of outdated libraries will be accepted.\"}","{\"category\":\"Brute Force Attacks\",\"details\":\"Reports regarding missing brute force protection are out of scope unless user enumeration is possible.\"}","{\"category\":\"OSINT Vulnerabilities\",\"details\":\"Vulnerabilities based solely on Open Source Intelligence (OSINT) investigations without a technical exploit.\"}","{\"category\":\"Unconfirmed Vulnerability Scanning Reports\",\"details\":\"Reports generated solely from automated vulnerability scanners, without confirmation.\"}","{\"category\":\"Missing CCA\",\"details\":\"Missing DNS resource records for Certificate Authority Authorization (CAA).\"}","{\"category\":\"Post-Exploitation Activities (e.g., Lateral Movement, Local Enumeration)\",\"details\":\"Once remote access (e.g., via RCE) is achieved, actions like lateral movement, local enumeration, privilege escalation, or network traversal are out of scope. The focus should be on reporting the RCE vulnerability itself, without further exploitation.\"}","{\"category\":\"Zero-Day and Recently Disclosed Vulnerabilities\",\"details\":\"Zero-day vulnerabilities or vulnerabilities that have been disclosed publicly for less than 30 days.\"}","{\"category\":\"Vulnerabilities only affecting users of outdated or unpatched browsers\",\"details\":\"Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\"}"],"timestamp":"2024-10-29T15:33:26.347Z"},{"id":3740710,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Out of scope vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.\n* Attacks requiring MITM or physical access or control over a user's device.\n* Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies).\n* Cross-domain script inclusions.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting.\n* Brute force attacks, as long as user enumeration isn’t possible.\n* Denial of service attacks (DDOS/DOS).\n* Missing cookies security flags (e.g., HttpOnly or Secure).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).\n* Missing DNS resource record for Certificate Authority Authorization (CAA).\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\n* Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information).\n* Zero-days or known vulnerabilities disclosed publicly within the past 30 days.\n* Vulnerabilities solely based on Open Source Intelligence (OSINT) investigations, without a technical exploit.\n* Broken links or URL inconsistencies without an associated security vulnerability or demonstrable impact on system security.\n* Web links that point to non-existing web pages.\n* Unconfirmed reports from automated vulnerability scanners.\n* General low severity issues reported by automated scanners.\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-30T13:44:27.598Z"},{"id":3710898,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Response Times\nSIX Group will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Out of scope vulnerabilities\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies).\n* Cross-domain script inclusions.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or brute force issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing cookies security flags (e.g., HttpOnly or Secure)\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Missing DNS resource record for Certificate Authority Authorization (CAA)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)\n* Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information)\n* Zero-days or known vulnerabilities disclosed publicly within the past 30 days.\n* Vulnerabilities solely based on Open Source Intelligence (OSINT) investigations, without a technical exploit.\n* Broken links or URL inconsistencies without an associated security vulnerability or demonstrable impact on system security.\n* Web links that point to non-existing web pages.\n* Unconfirmed reports from automated vulnerability scanners\n* General low severity issues reported by automated scanners\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-17T10:02:19.823Z"},{"id":3709151,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Response Times\nSIX Group will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Out of scope vulnerabilities\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies).\n* Cross-domain script inclusions.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or brute force issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing cookies security flags (e.g., HttpOnly or Secure)\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Missing DNS resource record for Certificate Authority Authorization (CAA)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)\n* Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information)\n* Zero-days or known vulnerabilities disclosed publicly within the past 30 days.\n* Vulnerabilities solely based on Open Source Intelligence (OSINT) investigations, without a technical exploit.\n* Open redirect \u0026 Broken links or URL inconsistencies without an associated security vulnerability or demonstrable impact on system security.\n* Web links that point to non-existing web pages.\n* Unconfirmed reports from automated vulnerability scanners\n* General low severity issues reported by automated scanners\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-12T15:57:03.506Z"},{"id":3686818,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Response Times\nSIX Group will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Out of scope vulnerabilities\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies).\n* Cross-domain script inclusions.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or brute force issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing cookies security flags (e.g., HttpOnly or Secure)\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Missing DNS resource record for Certificate Authority Authorization (CAA)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)\n* Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information)\n* Zero-days or known vulnerabilities disclosed publicly within the past 30 days.\n* Open redirect - unless an additional security impact can be demonstrated\n* Web links that point to non-existing web pages.\n* Unconfirmed reports from automated vulnerability scanners\n* General low severity issues reported by automated scanners\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-03T06:30:49.623Z"},{"id":3686497,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Response Times\nSIX Group will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Out of scope vulnerabilities\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies).\n* Cross-domain script inclusions.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or brute force issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing cookies security flags (e.g., HttpOnly or Secure)\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)\n* Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information)\n* Zero-days or known vulnerabilities disclosed publicly within the past 30 days.\n* Open redirect - unless an additional security impact can be demonstrated\n* Web links that point to non-existing web pages.\n* Unconfirmed reports from automated vulnerability scanners\n* General low severity issues reported by automated scanners\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-24T08:03:00.636Z"},{"id":3686405,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Response Times\nSIX Group will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* **Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.**\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* **Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.**\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n* **Append the string “bugbounty” to your user agent for all HTTP/HTTPS traffic before performing any testing.**\n* **Do not perform any kind of automated scans (e.g., via Burp Suite, Nuclei, SqlMap, etc.) on SIX assets.**\n\n# Out of scope vulnerabilities\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies).\n* Cross-domain script inclusions.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or brute force issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing cookies security flags (e.g., HttpOnly or Secure)\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)\n* Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information)\n* Zero-days or known vulnerabilities disclosed publicly within the past 30 days.\n* Open redirect - unless an additional security impact can be demonstrated\n* Unconfirmed reports from automated vulnerability scanners\n* General low severity issues reported by automated scanners\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-20T08:59:53.171Z"},{"id":3686364,"new_policy":"SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.\n\nThe threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.\n\nThe collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!\n\n# Response Times\nSIX Group will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Eligibility Guidelines\n\n#General\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.\n* Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.\n* Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.\n* Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.\n* Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.\n* Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.\n* SIX employees and third-party assets employees are not eligible for participation in this program.\n* Do not perform any kind of automated scans (e.g., via Burp Suite, Nessus, etc.) on SIX assets.\n\n#Accounts\n* Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.\n\n#Tooling\n* Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.\n\n# Out of scope vulnerabilities\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies).\n* Cross-domain script inclusions.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or brute force issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing cookies security flags (e.g., HttpOnly or Secure)\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)\n* Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information)\n* Zero-days or known vulnerabilities disclosed publicly within the past 30 days.\n* Open redirect - unless an additional security impact can be demonstrated\n* Unconfirmed reports from automated vulnerability scanners\n* General low severity issues reported by automated scanners\n\n# Submission / Reporting Criteria\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. \n* You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.\n* If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SIX Group and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-19T13:55:34.411Z"}]