Welcome to the meteoblue bug bounty program

As part of our ongoing effort to improve the security of our portfolio, we would like to invite you to participate in our bug bounty program. If you are a security researcher, bug hunter or white hat hacker, you are hereby encouraged to send us any bugs, vulnerabilities and safety hazards you may find in our products and services.

To compensate you for your time and effort, and as a token of our appreciation for your assistance, submissions that contain reproducable issues which lie within the scope and honour the guidelines listed below are eligible for a tiered reward, depending on the severity of the vulnerability found.

Reward tiers

Low impact:	50 EUR
Medium impact:	150 EUR
High impact:	300 EUR
Critical impact:	500 EUR

Rules and Guidelines

• Don't destroy data, disrupt our service, violate privacy of other users, etc.
• All testing should be performed within the boundaries of our scope. Unauthorised access to other systems or data is strictly prohibited.
• Respect user privacy and confidentiality. Do not share or misuse any sensitive data you might access during testing.
• Follow responsible disclosure practices. Give us a reasonable amount of time to address and fix the issues before disclosing them publicly.
• In case of a severe vulnerability that allows system access, you must not proceed further.
• Threatening of any kind will automatically disqualify you from participating in this program.
• Exploitation of any kind will not be tolerated and will result in a ban from the program.
• Communication with meteoblue security team is confidential and must not be documented or publicised.
• Give us a reasonable time to respond to the issue.
• It is subject to decision by meteoblue to determine when and how bugs are addressed and fixed.

Eligibility

• Must contain sufficient information including proof of concept and code snippets where needed.
• Must be the first to report the issue.
• You agree to keep any communications with meteoblue private.
• You agree to participate in the testing of countermeasures.

Scope

You are invited to test on the following subdomains:

• www.meteoblue.com
• my.meteoblue.com
• maps-api.meteoblue.com

Exclusions

• Missing any best security practice that is not a vulnerability
• Self XSS
• Username or email address enumeration
• Social engineering and flooding of email
• All kinds of injections without evidence of the ability to target a remote victim.
• Open Redirects without demonstrating additional security impact (such as stealing auth tokens)
• Clickjacking in unauthenticated pages or in pages with no significant state-changing action
• Logout or unauthenticated CSRF
• Missing cookie flags on non-sensitive cookies
• Missing security headers that do not lead directly to a vulnerability
• Unvalidated findings from automated tools or scans
• Attacks that require physical access to a user device
• Host header attacks without evidence of the ability to target a remote victim
• Use of a known-vulnerable library (without evidence of exploitability)
• Low-impact descriptive error pages and information disclosures without any sensitive information
• Invalid or missing SPF/DKIM/DMARC/BIMI records
• Password and account policies, such as (but not limited to) reset link expiration or password complexity
• Phishing risk via unicode/punycode or RTLO issues
• Missing rate limitations on endpoints
• Lack of mobile binary protection and mobile SSL pinning
• Reports exploiting the behavior of vulnerabilities in outdated browsers
• Bypass of meteoblue service limitations

Contact Us

If you have any questions or need assistance, please contact us at [email protected].

We appreciate your contributions to making our systems more secure and are looking forward to working with you!

Happy Hunting!