img-bg
Terrahost Bug Bounty Program

While we are doing our best to keep Terrahost services as safe as possible, we know that some bugs can slip through our scrutiny.

If you believe you have found a security issue in the services listed in our scope, we will work with you to resolve it promptly and ensure you are fairly rewarded for your discovery.

Rewards

Terrahost may provide rewards to eligible reportes of qualifying vulnerabilities. Rewards amounts vary depending upon the severity of the vulnerability reported.

Terrahost keeps the right to decide if the minimum severify threshold is met and whether the scope of the reported bug is actually already covered by a previously reported vulnerability. Rewards are granted entirely at the discretion of Terrahost. To qualify for a reward under this program, you should respect all the below criterias.

Eligibility and Responsible Disclosure

We are happy to work with everyone who submits valid reports which help us improve the security of Terrahost.

However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You need to be the first person to report an unknown issue
  • Any vulnerability found must be reported no later than 24 hours after discovery.
  • You are not allowed to disclose details about the vulnerability anywhere else.
  • You must avoid tests that could cause degradation or interruption of our service.
  • You must not leak, manipulate, or destroy any user data.
  • You are only allowed to test against accounts you own yourself.
  • The use of automated tools or scripted testing is not allowed.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability, include attachments such as screenshots or proof of concept code as necessary.

We intend to respond and resolve reported issues as quickly as possible. This means that you will receive progress updates from us at least every 1-3 working days.

Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Terrahost brand, will result in immediate disqualification from the program.

Scopes

Scope Type Low Medium High Critical
api.terrahost.no web application 50 EUR 150 EUR 500 EUR 1500 EUR
terrahost.no web site 50 EUR 150 EUR 500 EUR 1500 EUR
enigma.terrahost.no web site 50 EUR 150 EUR 500 EUR 1500 EUR


Qualifying vulnerabilities

  • Vulnerabilities with a real security impact

Non-qualifying vulnerabilities

  • "Self" XSS
  • Account enumeration
  • Missing HTTP Headers
  • SSL/TLS best practices
  • Denial of Service and brute forcing attacks
  • Physical attacks against offices or datacenters
  • Social engineering of our services desk, employees or contractors
  • Compromise of a Terrahost users or employees accounts
  • Use of a tool that generates a significant volume of traffic
  • Any hypothetical flaw or best practices without exploitable POC
  • Session timeout
  • Click-jacking
  • Rate-limiting
  • DKIM/SPF/DMARC issues

Contact and reporting

Please send any reports and POC to support@terrahost.no for evaluation. We urge you to contact us with your login details before you begin, so our staff do not close your account for abuse, which may happen if we see unusual activity.