Overview

This program enables users to submit vulnerabilities to Agicap on products within the scope of the program (See "Scope" chapter). These submissions provide a chance to win awards in amounts to be determined by Agicap in its own discretion. Agicap may change or cancel this Program at any time and for any reason.

This program is currently active

Similarly, these conditions may change at any time and will become applicable upon publication of the new version. By participating in the program, you automatically agree to the applicable terms and conditions.

Please read the entire bug bounty policy BEFORE submitting any report.

Scope

The scope is limited to:

• agicap.com and all associated sub-domains.(eg: “xyz.agicap.com”).

What is not allowed:

What will not result in a reward:

- Social engineering attacks against our customers or staff; - Physical attacks against our customers or staff; - Attack on the service availability (Ex. Denial Of Service or spam); - Data modification; - Disclosure of data and details of vulnerabilities without our consent.

- Very low-quality reports, such as those which only contains automated output will be rejected - Reports without any PoC related to Agicap (eg: explanation of a standard vulnerability without proofs it’s applicable on Agicap) - Vulnerabilities related to a TLS configuration weakness ; - Submission relating to non-compliance with "best practices" (ex. missing security headers, CORS configuration, …) ; - Submission relating to DNS configurations ; - Network level Denial Of Service attacks ; - Self XSS ; - Very low-quality reports, such as those which only contain automated output; - Login, logout, unauthenticated or low-value CSRF ; - Man-in-the-Middle attacks ; - Non exploitable vulnerability ; - Vulnerabilities related to rate limit.

Agicap employees or former employees who left the company less than a year ago are not eligible for a reward. Likewise, the close entourage of employees is not eligible for a reward.

Submission and disclosure process

If you think you've found a vulnerability in the scope described above, please send it to : [email protected].

The submission must contain:

• Scope (URL affected) ;
• Type of vulnerability ;
• Description of the impact ;
• Step to reproduce ;
• Ways to exploit with a valid POC ;
• A way to correct.

A partial submission will not be eligible for a reward.

We will acknowledge receipt of the submission within 7 days. If this is not the case, please send a reminder to [[email protected]]. We cannot be held responsible for an email that did not reach us.

After the reception, we will study the eligibility of the vulnerability. The time may vary depending on the type of vulnerability.

Eligibility is entirely at our discretion and will not be subject to appeal.

If a vulnerability is raised by multiple people, only the first one raised will be eligible for a reward, the others will be classified as "duplicate".

Reported vulnerabilities must not be disclosed publicly unless expressly authorized by Agicap. In case of publication without this agreement, no reward will be given and legal proceedings may be initiated.

Rewards

If a vulnerability is submitted in compliance with the previously defined clauses, a reward is possible.

For all payments, an invoice is required.

The invoice must be made out to

Agicap 57 Rue de St Cyr 69009 Lyon

and include all the requisite information as detailed below, including

• your name
• address
• IBAN
• SWIFT/BIC
• VAT number (if applicable)
• a short description of service.

Payments are made via bank transfer, it will be made only if the bank details have been transmitted.

No Paypal payments will be made.

Payment is made within 30 days after validation and provision of the invoice.