Read

Vulnerability finder’s reward Coordinated Vulnerability Disclosure

A valuable report deserves a reward!

Is the reported vulnerability unknown to us and does the report have impact? Then you will receive a reward from us! You will always get a place in our Hall of Fame, if you want to. We reward the best reports with a nice letter or even the Tax Administration Trophy! You will never receive a monetary reward for your vulnerability report.

    • (Stored) Cross-Site Scripting with impact on other users of the web application
    • (Remote) Code Execution, including SQLi and Command Injection
    • unauthorised access to confidential data
    • Server-Side Request Forgery
    • Path Traversal
    • HTTP Host Header Injection
    • Sender Policy Framework / DomainKeys Identified Mail misconfigurations (SPF/DKIM)
    • Credential/Authorisation Leaks via public sources (e.g. via GitHub or semi-public sources)
    • Username enumeration (not brute force)

    • Self Cross Site Scripting (Self-XSS)
    • Social Engineering
    • (Distributed) Denial of Service ((D)DoS)
    • physical tests/attacks on the Tax Administration's infrastructure
    • Man-in-The-Middle-attacks (MiTM)

Please note!

The final reward may differ from the examples above. Have you discovered a vulnerability not mentioned above? If so, please still report the vulnerability. We take every report seriously.
Was this information useful to you?