We welcome security researchers and the public to help improve our data safety. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security concern in any of our products, we want to hear from you. This page outlines ways to report vulnerabilities to us, what we expect, and what you can expect in return.

As we currently do not run an open/public Bug Bounty program, vulnerability reports eligible for payout have to be sent via our Bug Bounty service provider: the Intigiriti platform (for more details see section Reporting channels).

We accept vulnerability reports that have a direct impact on data integrity, service availability and/or data confidentiality (CIA Triad). Reports sent directly by email to HomeToGo will be eligible for payout only when they have a High or Critical severity level.

• We cannot accept any submissions found by using only automatic scanners. You need to send your report as a manual PoC on how vulnerability can be used to impact data integrity, service availability and/or data confidentiality.
• Please keep the impact as minimal as possible by cleaning up submitted data to avoid affecting users other than yourself, and do not change or delete data in any state.
• Suggestions for mitigation are also appreciated. 
• Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
• Handle any found data in a responsible manner.
• Do NOT publish/discuss bugs before they are fixed.
• Do not engage in extortion or other harmful behavior.
• Remember: quality over quantity!

Reporting through the Bug Bounty platform

To ensure a payout to you and quality reports for us, we highly encourage reporting vulnerabilities on our Bug Bounty platform. To do that, you will need to be registered with Intigriti (https://login.intigriti.com/account/register) and invited to join our Bug Bounty program. If or when you are registered with Intigriti, you will need to provide us with your account information by email ([email protected]) to be invited into our Bug Bounty program.

Reporting directly to HomeToGo by email

If you want to report a vulnerability without the use of our Bug Bounty program on Intigriti, you can send your findings directly to us by email ([email protected]). Reports sent directly to us and not through the Bug Bounty service provider’s platform will be accepted, but the payment will happen at the sole discretion of HomeToGo. The payout for the report depends on the vulnerability severity, business impact and quality.

Please use the below template to send us vulnerability reports:

#Summary:

[add summary of the vulnerability]

#Affected host:

[add all affected domains]

#Impact:

[add impact of the vulnerability with the description]

#Steps to reproduce:

[add details for how we can reproduce the issue, including an exploit code]

[add step]

[add step]

[add step]

#Supporting material/references:

[list any additional material (e.g. screenshots, videos, logs, etc.) and add them as attachments/references]

Please respect systems and activities that are out of scope. Unfortunately, reports containing any of the following out of scope findings will be discarded. 

Application and Infrastructure

• DoS & DDoS 
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that cannot be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking on pages with no sensitive actions
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Hyperlink injection/takeovers
• Mixed content type issues
• Cross-domain referer leakage
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without proof
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• Banner grabbing/Version disclosure
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Weak SSL configurations and SSL/TLS scan reports
• Not stripping metadata of images
• Disclosing API keys without proven impact
• Same-site scripting
• Subdomain takeover without taken over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact 
• Disclosed and/or misconfigured Google API key (including maps)
• Host header injection without proven business impact