Read

    Vulnerability finder’s reward Coordinated Vulnerability Disclosure

    A valuable report deserves a reward!

    Is the reported vulnerability unknown to us and does the report have impact? Then you will receive a reward from us! You will always get a place in our Hall of Fame, if you want to. We reward the best reports with a nice letter or even the Tax Administration Trophy! You will never receive a monetary reward for your vulnerability report.

    • Vulnerabilities with risk of additional reward

      • (Stored) Cross-Site Scripting with impact on other users of the web application
      • (Remote) Code Execution, including SQLi and Command Injection
      • unauthorised access to confidential data
      • Server-Side Request Forgery
      • Path Traversal
      • HTTP Host Header Injection
      • Sender Policy Framework / DomainKeys Identified Mail misconfigurations (SPF/DKIM)
      • Credential/Authorisation Leaks via public sources (e.g. via GitHub or semi-public sources)
      • Username enumeration (not brute force)

    • Out-of-scope

      • Self Cross Site Scripting (Self-XSS)
      • Social Engineering
      • (Distributed) Denial of Service ((D)DoS)
      • physical tests/attacks on the Tax Administration's infrastructure
      • Man-in-The-Middle-attacks (MiTM)

    Please note!

    The final reward may differ from the examples above. Have you discovered a vulnerability not mentioned above? If so, please still report the vulnerability. We take every report seriously.

    Javascript is disabled in this web browser. You must activate Javascript in order to view this website.