Geizhals Bug Bounty Program
===========================================
DRAFT, valid from 21.12.2013 as published at that date.


General terms:

• applies to websites using the domains: geizhals.at, geizhals.de, geizhals.eu, compare.eu, skinflint.co.uk, cenowarka.pl
  
• in some cases, multiple reports for seemingly different websites might refer to the exact same problem / piece of code, because e.g. skinflint.co.uk uses the same code as geizhals.at etc. - here we will consider these multiple reports as one at our discretion.
  
• we may offer to pay bounties in the form of Amazon vouchers (we will let you choose from Amazon.de, Amazon.co.uk and possibly others if we can pay them without tax issues)
  
• we will publish information about submissions with as much detail as we choose to
  
• first come, first serve - bounties are paid to first submitter only and only once per type of vulnerability (not for different ways of exploiting the same or for each account compromised etc.)
  
• damages caused unnecessarily will be subtracted from bounties (we'll be fair). If too much avoidable damage was caused, we may refuse to pay bounties (please don't do it, this bug bounty program does not exist in order to invite people to cause damage to us)
  
• known vulnerabilities we are trying to fix and published by us already, are excluded
  
• if multiple cases below apply, the highest is paid, except for vulnerable 3rd party code (i.e. Debian packages), where we pay only the bounty for that category (the best matching)
  
• all submissions must be sent to bugbounty@geizhals.at and readable with MUAs without HTML support
  
• exploit details must not be published elsewhere before we've had reasonable time to fix the problem
  
• we may update the terms / bounties however we wish at any time without prior notice, however for submitted bugs sent before new terms are announced, the old terms will apply
  
• we must be able to reproduce reported bugs without an unusual/exotic platform/configuration
  
• we will try to be as fair and objective as possible, however if we cannot afford some bounties or  if we made stupid mistakes in the terms published that allow exploitation in an unintended way, we  reserve the right to refuse bounties. Please be fair and reasonable too!
  

SEVERITY           BOUNTY            EXTRA TERMS
-------------------------------------------------------------------------
XSS                €100              

CSRF               €100               if user data can be manipulated through 3rd party websites

SQL Injection   €200

Capturing a user
account            €150              Brute-forcing, phishing or MITM are not applicable. Using XSS:
                                     XSS bounty above will apply.

Severe DoS
opportunity        €200              When a particular request/URL causes effective DoS with
                                     1 hit per 60 seconds (yes we know about forum search and
                                     best merchant combination calculations, they are slow...)

Remote code
execution/login    €500

Remote code exec.
as root            €1000

Any of the above
when caused by 3rd
party bug with fix
available for 48h
or longer          €200

Any of the above
when caused by 3rd
party bug with fix
available for <48h €0 (because we'll hopefully fix it automatically)

Any of the above
when caused by 3rd
party bug with NO
fix available yet  CONTACT DEBIAN/appropriate authorities urgently!

Once you allow the government to start breaking the law, no matter how seemingly justifiable the reason, you relinquish the contract between you and the government which establishes that the government works for and obeys you, the citizen—the employer—the master. And once the government starts operating outside the law, answerable to no one but itself, there’s no way to rein it back in, short of revolution. -- John W. Whitehead

Zwangsbejagung Ade!