{"id":21888625,"url":"https://github.com/swisscom/bugbounty","last_synced_at":"2026-01-28T04:48:19.402Z","repository":{"id":58931191,"uuid":"459766446","full_name":"swisscom/bugbounty","owner":"swisscom","description":"Swisscom Vulnerability Disclosure Policy \u0026 Bug Bounty Programme","archived":false,"fork":false,"pushed_at":"2025-02-28T16:40:16.000Z","size":268,"stargazers_count":88,"open_issues_count":0,"forks_count":10,"subscribers_count":52,"default_branch":"main","last_synced_at":"2025-03-04T22:02:05.394Z","etag":null,"topics":["bugbounty"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/swisscom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-15T22:10:53.000Z","updated_at":"2025-02-28T16:40:19.000Z","dependencies_parsed_at":"2024-01-12T17:43:50.601Z","dependency_job_id":"f20bac1d-be5e-4a53-ba6e-3b06ae5857b2","html_url":"https://github.com/swisscom/bugbounty","commit_stats":null,"previous_names":[],"tags_count":41,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2Fbugbounty","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2Fbugbounty/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2Fbugbounty/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2Fbugbounty/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/swisscom","download_url":"https://codeload.github.com/swisscom/bugbounty/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244895551,"owners_count":20527905,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty"],"created_at":"2024-11-28T11:16:15.925Z","updated_at":"2026-01-28T04:48:19.372Z","avatar_url":"https://github.com/swisscom.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"![Swisscom Bug Bounty Programme](assets/images/SCBB.png)\n\n## 1 Introduction\nWe, Swisscom Ltd and our affiliated companies (hereinafter \"Swisscom\") \naim to design and operate our products and services according to the \nhighest security standards to keep our customers safe. To this end, we \nare continually improving our security on multiple levels. We are aware \nthat, despite all efforts, absolute security is impossible, and we \ncannot completely rule out the existence of security bugs. The purpose \nof the Swisscom Vulnerability Disclosure Policy and Bug Bounty Programme \nis to support the reporting of potential vulnerabilities in our systems \nby external parties. \n\nCustomers, users, researchers, partners and any other parties who \ninteract with Swisscom's products and services are encouraged to report \nidentified vulnerabilities to our security team under observance of our \n[Responsible Disclosure Policy](#3-responsible-disclosure-policy).\n\nMoreover, we invite both private individuals and legal entities to \nparticipate in our [Bug Bounty Programme](#5-bug-bounty-programme) \n(hereinafter the \"Programme\") in accordance with the [Programme \nRules](#54-programme-rules). Bounties may be awarded for reporting \n[qualifying](#53-qualifying-vulnerabilities) and \n[in-scope](#52-programme-scope) vulnerabilities. \n\nSwisscom acknowledges the value of contributions from the security \nresearcher community and highly appreciates the efforts made by the \nreporting party. We thank you in advance for your contribution! \n\n*TL;DR* Swisscom Bug Bounty\n * Public programme\n * Scope includes all enterprise assets\n * Rewards from CHF 100 to CHF 10'000\n * Safe Harbor Policy\n * In-house triage by Swisscom team\n\nℹ️ Please take note of the [registration requirements](#541-registration) and [payment modalities](#561-payment-modalities) before notifying us of a vulnerability. Especially regarding the following points:\n * you will be required to provide a copy of an international identity document (e.g. passport or ID card), that is currently valid and that includes a machine-readable zone for unambiguous matching.\n * rewards are paid out in Swiss francs (CHF) by bank transfer only. Any other payment channels are excluded.\n\n\n## 2 Contact Information\nTo take part in our Bug Bounty Programme, please register and submit \nyour report directly on [our \nportal](https://portal.bugbounty.swisscom.ch/). See \n[5.4.1 Registration](#541-registration). \n\nTo report a security vulnerability to Swisscom without participation in \nthe Bug Bounty Programme or for any other enquiries, please contact us \nby e-mail. \n\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eE-mail\u003c/td\u003e\n\t\u003ctd\u003e\u003ca href=\"mailto:bug.bounty@swisscom.com\"\u003ebug.bounty@swisscom.com\u003c/a\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003ePGP key ID\u003c/td\u003e\n    \u003ctd\u003eD7C7CE45C6817513\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003ePGP fingerprint\u003c/td\u003e\n    \u003ctd\u003e9423 3225 7E5F 5A65 425F 8807 D7C7 CE45 C681 7513\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003ePGP public key\u003c/td\u003e\n\t\u003ctd\u003e\n\t \u003ca href=\"https://github.com/swisscom/bugbounty/blob/main/assets/pgp/bug-bounty_19052024-19052026.asc\"\u003e\n\t  Public key\n\t \u003c/a\u003e\n\t\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n   \u003ctd\u003ePortal link\u003c/td\u003e\n   \u003ctd\u003e\n    \u003ca href=\"https://portal.bugbounty.swisscom.ch/\"\u003e\n     Bug Bounty Portal\n\t\u003c/a\u003e\n   \u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003ePostal address\u003c/td\u003e\n\t\u003ctd\u003e\n\t  Swisscom (Switzerland) Ltd\u003cbr\u003e\n\t  GSE-SEL\u003cbr\u003e\n\t  Bug Bounty Programme\u003cbr\u003e\n\t  Förrlibuckstrasse 60/62\u003cbr\u003e\n\t  CH-8005 Zürich\u003cbr\u003e\n\t  Switzerland\n\t\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\n## 3 Responsible Disclosure Policy\nTo protect our customers, Swisscom does not publicly disclose or confirm \nsecurity vulnerabilities until Swisscom has conducted an analysis of the \nreported vulnerability and issued fixes and/or mitigations in its \nProducts or Services. \n\nBy submitting a vulnerability report (hereinafter \"Report\") to Swisscom, \nyou agree to not publicly disclose or share the reported vulnerability \nwith any third party until Swisscom confirms that the vulnerability has \nbeen remediated. Swisscom will make every effort to remedy reported \nvulnerabilities within 90 days after notification of your Report to \nSwisscom. Swisscom must be informed in advance about your intended \npublications and their content. The publication must NOT include any \ncustomer, confidential or sensitive data, and must focus on the \ntechnical vulnerability discovered. \n\nIn the event of publication, Swisscom and you shall mutually agree on a \ncoordinated disclosure. \n\nIf you submit a Report which affects a third-party service, we will \nlimit the information that we share with any affected third party. We \nmay share non-identifying content from your report with an affected \nthird party. We will not share your identifying information with any \naffected third party without first obtaining your written permission. \n\n\n## 4 Safe Harbour Policy\nThe Swiss Penal Code qualifies any type of hacking as a major crime. \nThis provision makes sure that you are safe from demands for a criminal \nsanction of Swisscom if you comply with the Programme Rules. If you \nviolate these Rules, you may not only be prohibited from participating \nin the Programme in the future, but Swisscom also reserves the right to \nfile criminal charges or take civil action against you. \n\nPlease understand that Swisscom cannot and does not authorise security \nresearch that involves any customer assets (networks, systems, \napplications, products or services) managed by Swisscom in an \noutsourcing setting. If your security research involves assets that \ninclude data of a third party, such third party may take civil actions \nor file criminal charges against you. Swisscom cannot in any way offer \nto defend, indemnify or otherwise protect you from third-party claims or \ncriminal charges against you. \n\nIf you comply with the Programme Rules, Swisscom will honour its Safe \nHarbour Policy, as defined below: \n\n * Swisscom interprets activities that comply with these Programme Rules \nas authorised access to our systems and will refrain from filing a \ncomplaint under Articles \n[143](https://www.fedlex.admin.ch/eli/cc/54/757_781_799/en#art_143),\n[143\u003csup\u003ebis\u003c/sup\u003e](https://www.fedlex.admin.ch/eli/cc/54/757_781_799/en#art_143_bis)\nand \n[144\u003csup\u003ebis\u003c/sup\u003e](https://www.fedlex.admin.ch/eli/cc/54/757_781_799/en#art_144_bis)\nof the [Swiss Criminal Code](https://www.fedlex.admin.ch/eli/cc/54/757_781_799/en). \n * If a criminal charge or legal action is initiated against you and you \nhave complied fully with the [Programme Rules](#54-programme-rules), \nSwisscom will make every effort to inform the authorities that your \nactions were conducted in compliance with Swisscom’s Bug Bounty \nProgramme. \n\nFor more information regarding legal aspects of ethical hacking in\nSwitzerland, refer to the\n[FDPIC Factsheet for ethical hackers](https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/internet_technologie/whh.html).\n\n\n## 5 Bug Bounty Programme\nSwisscom was the first company in Switzerland to introduce a Bug Bounty \nProgramme (hereinafter \"Programme\"), which has been up and running since \n2015. The Programme continues to be distinguished for its openness \ntoday: \n\n * Open participation for the global community of security researchers \n * Open scope including all enterprise assets\n * Open-ended, unlimited duration\n\nThe programme is self-managed, offers a wide range of technologies and \nvulnerability reports are triaged in-house by Swisscom employees.\n\nParticipants are permitted to perform tests and investigations within \nthe systems provided they act in good faith and respect the scope and \nrules described below. \n\n\n### 5.1 Eligibility\nYou are **eligible** to participate in the Programme if you meet **all** \nof the following criteria: \n\n * You are of legal age and have the legal capacity to give your consent \nto the terms of these Programme Rules. \n * If you are acting in the name of and on behalf of your employer, you \nmust clearly state this during the Registration Process and confirm that \nyou are authorised to give your consent to the terms of these Programme \nRules in the name of and on behalf of your employer. You are responsible \nfor reviewing your employer's rules for participating in this Programme. \nSwisscom disclaims any and all liability or responsibility for disputes \narising between you and your employer related to this matter. \n * Public Sector Employee: if you are a public sector employee, please \ncontact our Bug Bounty team using the details above prior to any testing \nactivities \n\nYou are **not eligible** to participate in the Programme if you meet \n**any** of the following criteria: \n\n * You do not fulfil all the above criteria\n * You are a resident or a national of any country subject to \ninternational or Swiss sanctions \n * You are a resident or a national of any country that does not allow \nparticipation in this type of Programme \n * You are currently an employee of Swisscom, or an immediate family or \nhousehold member of such an employee \n * Within the six months prior to providing us your Submission, you were \nan employee of Swisscom \n * You currently (or within six months prior to providing us your \nSubmission) perform services for Swisscom or a Swisscom subsidiary in an \nexternal staff capacity that requires access to the Swisscom Network, \nsuch as agency temporary worker, vendor employee, contractor \n\nSwisscom reserves the right to exclude any participant from the Programme\nat Swisscom's sole discretion and at any moment, particularly if it is\nobserved that submissions are not generating the expected value and, at\nthe same time, create an excessive workload for the triage team.\n\n\n### 5.2 Programme Scope\nIn principle, any Swisscom-owned assets are intended to be within the \nscope of the Programme. This includes almost all networks, systems, \napplications, products or services for which Swisscom is accountable. \n\nLikewise, assets from affiliated companies are also in scope if Swisscom \nLtd owns more than 50% of the company shares. You can find a list of \nsuch participations in the current [annual \nreport](https://reports.swisscom.ch/) under *Group Companies*. However, \ncertain exceptions apply; for example, [Fastweb \nSpA](https://www.fastweb.it/) is explicitly out of scope. \n\nSwisscom's customer systems or customer systems outsourced to Swisscom \nare explicitly out of scope. \n\nA non-exhaustive list of assets is maintained here as an [authoritative \nsource of the programme scope](scope). Participants must ensure to \nrestrict their research and testing activities as defined in the \n*in-scope* and *out-of-scope* lists. Note that items in the \n*out-of-scope* list take precedence over the *in-scope* items. Testing \non non-declared or *out-of-scope* assets will be viewed as a violation \nof the Programme Rules and any report on such will be disregarded. If a \nSwisscom asset is missing from the list, please contact the Bug Bounty \nteam to validate and extend the scope accordingly. \n\n\n### 5.3 Qualifying Vulnerabilities\nAny design, implementation or configuration issue that substantially \naffects confidentiality or integrity is likely to be eligible for a \nreward. Please refer to [vulnerabilities](vulnerabilities) for details. \n\n\n### 5.4 Programme Rules\nThe Rules of the Swisscom Bug Bounty Programme as defined in this \ndocument (hereinafter the \"Programme Rules\") govern the entire agreement \nbetween Swisscom and the participants (hereinafter \"you\") concerning the \nSwisscom Bug Bounty Programme. \n\nBy participating in the Programme in any manner, you accept these \nProgramme Rules. The Programme Rules may be changed unilaterally by \nSwisscom at any time. By participating in the Programme, you accept the \nProgramme Rules applicable at that time. If you do not agree, you are \nnot entitled to participate in the Programme. Swisscom reserves the \nright to terminate or discontinue the Programme at its discretion. \n\n\n#### 5.4.1 Registration\nTo participate in the Swisscom Bug Bounty Programme you must register an \naccount via our [Bug Bounty \nPortal](https://portal.bugbounty.swisscom.ch/). \nReports submitted via any other channel will be disregarded. In order to \nreceive bounty payments, you will be required to provide: \n * your name and postal address\n * a copy of an international identity document (e.g. passport or ID card),\n that is currently valid and that includes a \n [machine-readable zone](https://en.wikipedia.org/wiki/Machine-readable_passport)\n for unambiguous matching.\n * your bank details (see also [Payment \nmodalities](#561-payment-modalities)) \n\n\n#### 5.4.2 Impact on operations\n 1. You must avoid tests that could impair, interrupt or otherwise damage \nSwisscom services, services owned by Swisscom customers or other third \nparties. \n 2. You must avoid tests that could compromise, destroy or otherwise \ndamage Swisscom data, data owned by Swisscom customers or other third \nparties. \n 3. You are expected to take all necessary technical and organisational \nmeasures to minimise the impact of your testing activity. For example, \nmake sure you know what you are doing when using automated tools and \nlimit your requests per second. Refrain from conducting tests that\ninvolve spamming web forms or triggering reservations.\n 4. If you assume that the availability of a tested system was impaired \ndue to your testing activities despite all precautions taken, please \ninform the Bug Bounty Team immediately. \n\n\n#### 5.4.3 Confidentiality\n 1. You must report any detected vulnerabilities exclusively to Swisscom \nthrough our portal. You must refrain from disclosing vulnerabilities to \nthird parties, including customers of Swisscom that may be affected. \n 2. You must not publicly disclose any discovered credentials (e.g. \npasswords, tokens, API keys, etc). \n 3. Any obtained or downloaded data must not be disclosed to third \nparties and may not be used for any purpose other than reporting the \nvulnerability to Swisscom under this Programme. \n 4. Any obtained or downloaded data must be irrevocably erased from your \nsystems immediately after reporting the vulnerability to Swisscom. \n\n\n#### 5.4.4 Interference with other parties\n 1. You must refrain from interfering with other participants’ work \nwhen searching for vulnerabilities. \n 2. You must refrain from interfering with any devices or accounts from \nother Swisscom customers or third parties. \n\n\n#### 5.4.5 Data and financial impact minimisation\n 1. You must limit the amount of data accessed to a strict minimum. \n 2. You are expected to access the minimal amount of data necessary to \nprove the existence of a vulnerability.\n 3. If you need to carry out a financial transaction to demonstrate the\nimpact of a vulnerability (e.g. purchase of articles, vouchers or\nsubscriptions), we require that the transaction amount be minimal.\n\n\n#### 5.4.6 Transgression of scope\nIf you happen to find yourself in a customer system managed by Swisscom, \nif you identify data that does not belong to Swisscom or if you have \ndoubts about the type of system (Swisscom or customer) you are searching \nin, please stop further research in the system immediately and contact \nthe Bug Bounty Team. \n\n\n#### 5.4.7 Social engineering\nAny social engineering techniques such as phishing, smishing or vishing \nare forbidden. \n\n\n#### 5.4.8 Jurisdisction\nYou are expected to comply with all laws applicable to you.\n\n\n#### 5.4.9 Abuse\n 1. You must refrain from any misuse of Swisscom services, e.g. for \nsending unsolicited bulk email, postings, contact requests, SMS (text \nmessages), instant messaging, etc. \n 2. You are not allowed to register duplicate accounts on the Bug Bounty \nportal. \n\n\n#### 5.4.10 Communication\nUse only official communication channels as defined on the Swisscom Bug \nBounty website. \n\n\n#### 5.4.11 Code of conduct\nSwisscom expects you to comply with the following standards of behaviour \nwhen participating in the Programme. If you violate these standards, you \nmay be prohibited from participating in the Programme in the future and \nany submissions you have provided may be deemed to be ineligible for \nBounty payments. \n\n 1. No abusive language or harassment: we do not engage in and will not \ntolerate any form of threats, profanity and hateful speech, \ndiscrimination based on ethnicity, nationality, religion, sexual or \ngender identity or orientation, as well as age, level of experience or \npersonal appearance. \n 2. Do not engage in any form of reputation-damaging behaviours or \nactivities targeted at creating an unfair reputational advantage or \nrewards. \n 3. Do not engage in any activity that exploits people, harms people or \nrisks harming people. \n 4. Do not share inappropriate content or material (involving, for \nexample, nudity, bestiality, pornography, graphic violence or criminal \nactivity). \n 5. Do not engage in any activity that is false or misleading.\n 6. Do not engage in any activity that is harmful to you, the Programme \nor others (e.g., transmission of viruses, stalking, posting of terrorist \ncontent, communicating hate speech or advocating violence against \nothers). \n 7. Do not infringe upon the rights of others (e.g., unauthorised sharing \nof copyrighted material) or engage in activity that violates the privacy \nof others. \n 8. Do not cause harm to Swisscom or to our customers, do not attempt to \naccess our offices, data centres or any user accounts other than your \nown. \n 9. Do not help others to break these rules.\n\n\n### 5.5 Reporting Guidelines\nTo support our triage process your report must contain all the \ninformation required for us to confirm the vulnerability. This includes: \n\n 1. All information required to identify the affected asset\n 2. The type of security vulnerability\n 3. A clear and comprehensible description of the vulnerability along \nwith step-by-step instructions to reproduce a potential exploitation. \nInclude attachments such as screenshots, HTTP traffic logs or \nproof-of-concept code, as necessary. \n 4. In order for us to identify your requests in the logs, please \nprovide indicators of your activity such as your source IP address along \nwith a time frame and any other distinctive identifiers, where \napplicable. For example: \n    * Set a distinctive reverse DNS entry for your IP address \n    * Append the string `-bugbounty-\u003cusername\u003e` to the User-Agent \nheader for HTTP requests\n 5. You are expected to share all details about the discovered \nvulnerability. To prevent withholding of information in the initial \nreport, bypasses in subsequent reports originating from the same \nparticipant and regarding the same vulnerability will be accepted only \nafter 30 days. Bypasses reported during the verification phase are \naccepted and rewarded.\n 6. You must clearly disclose if you used AI technology (e.g. large \n language models, LLM) in the creation of your vulnerability report.\n We expect you to validate all facts and claims generated by the AI\n before submission.\n\n\n### 5.6 Rewards\nMonetary Rewards (hereinafter “Bounties”) for Reports may be awarded \nat Swisscom's full discretion. The awarded bounties range from CHF 100 \nto CHF 10'000. The Bug Bounty team determines the Bounty amount based on \n\n * the technical impact of the reported vulnerability\n * the business criticality of the impacted system or data\n * a plausible threat scenario, i.e. likelihood of exploitation\n based on actor capability and motivation\n * the quality of the documentation provided to Swisscom\n\nIn general, rewards will be paid after remediation of the vulnerability, \nand you will be asked to validate the remediation measures. \n\nThe following requirements for awarding a Bounty apply:\n * The vulnerability must affect an in-scope asset (see [Programme \nScope](#52-programme-scope)) and must qualify for the Programme (see \n[Qualifying Vulnerabilities](#53-qualifying-vulnerabilities)). \n * You must be the first reporter of the vulnerability.\n * Reports on vulnerabilities having the same root cause (remediation in \na single point, e.g. same backend system, same code base, etc), as well \nas enumeration of identical vulnerabilities may be treated as a single \nreport. \n\n\n#### 5.6.1 Payment modalities\nTo ensure that you receive any Bounties to which you are entitled, \nplease note the following prior to participation in the Programme: \n\n * Rewards are paid out in Swiss francs (CHF) by bank transfer only. Any \nother payment channels are excluded. \n * You must hold a bank account in your own or your company's name. \nPayments to entities other than the reporter are not allowed for legal \nreasons. \n * It will only be possible to award Bounties if you meet the payment \nmodality requirements \n\nUpon request, Swisscom may issue an invoice in your/your company's name.\n\nBounty Payments shall be due net within 30 days of confirmation of \npayment. The Bounty, if any, shall cover all services provided by you, \nincluding the costs for your Bug Bounty activities, documentation, any \nexpenses and incidental costs, and licence fees. If, for any reason, you \nare unable or unwilling to receive your Bounty, we reserve the right to \nrescind it. \n\nYou/your company will be responsible for your own taxes levied to the \nrespective party as legal taxpayer in accordance with the applicable \nlocal law. Each party shall bear its own income, withholding, sales, \nservice, value-added, use, excise, consumption and any other taxes and \nduties. \n\n\n### 5.7 Public Recognition\nSwisscom may publicly recognise individuals who have reported \nconsiderable vulnerabilities under the Programme and been awarded \nBounties.\n\nSwisscom may, at its discretion, give you recognition on websites or \nother printed materials, unless you explicitly ask us not to include \nyour name.\n\n\n### 5.8 Swisscom Employee Policy\nWhen participating in the Programme, you may provide information originating\nfrom private research about vulnerabilites and exploitation techniques. Your\nreport may be forwarded to any Swisscom employee, contractor, supplier, partner,\nor vendor on a need-to-know basis with the goal of remediating the reported\nissue. As such, all recipients gain an informational advantage, which is at risk\nof misuse or misappropriation. This policy aims to establish a standard for\nSwisscom employees when handling such information. While we cannot enforce this\npolicy with third-party entities (e.g. suppliers, vendors, etc.), our commitment\nto prevent abuse involves sharing only essential information and treating it as\nconfidential.\n\nAs long as the provided information is unavailable to the general public (i.e.\nthe report is not yet disclosed, no vulnerability details have been published,\nno CVE has been assigned, no security advisory has been issued, etc) and your\nreport has been closed for less than three months:\n\n * Swisscom employees will refrain from disclosing the information provided in\nreports (specific payloads, code, custom-built tools, etc.) to any\nthird-party without a need-to-know requirement.\n * In particular, Swisscom employees will not misuse the information for\npersonal financial gain (e.g. participation in bug bounty programs, sale to\nvulnerability brokers, etc).\n\n\n### 5.9 Bug Bounty Agreement, Applicable Law and Jurisdiction\nUpon your registration as reporter for the Program, you must agree to \nthese Program Rules and enter into a Bug Bounty Agreement with the terms \nof these Program Rules with Swisscom. \n\n#### 5.9.1 Activity clause\n\n##### 5.9.1.1 Activity of the reporter\nThe reporter provides independent advisory services with checking the \ndigital security precautions and measures at Swisscom (advisory \nactivities). In this connection, Swisscom has no authority to issue \ninstructions or to monitor the reporter. \n\nThe reporter organizes and provides his services in this context \naccording to his own organizational considerations and on his own \nprofessional and entrepreneurial responsibility, in particular with \nreference to the determination of the place of performance and the hours \nof activity. The reporter decides freely and independently how the \nservice is provided. \n\nThe reporter uses his own working tools (computer, mobile phone, tablet, \nprinter, etc.) to provide the services. The reporter is not entitled to \nany compensation in this regard. In any case, Swisscom is entitled to \nall (work) results including the technical database and processing \nmethods in connection with and / or resulting from the advisory activity \nin accordance with this agreement. \n\n##### 5.9.1.2 Scope of the agreement\nThis agreement applies from the time the advisor agrees to it. \n\nShould the reporter or Swisscom no longer wish to cooperate based on \nthis agreement at a future point in time, the corresponding cooperation \ncan be terminated at any time, unless this occurs at an inopportune time \n(i.e. a point in time that would have significant negative consequences \nfor one of the partners). \n\n##### 5.9.1.3 Other activities\nBy agreeing to this agreement, the reporter confirms that he is also \nworking for other clients. \n\n##### 5.9.1.4 Consulting fee\nThe client can pay a success-related fee for the consulting activity, \nthe amount of which is at the discretion of the client. Relevant \ncriteria can be the topicality and the respective news content for the \nclient. There is no legal entitlement to a fee. \n\n#### 5.9.2 Subcontractors\nThe use of subcontractors or other third parties by the reporter is not \npermitted. \n\n#### 5.9.3 Data privacy, data protection, data secrecy\n\n##### 5.9.3.1 Data protection\nThe reporter is obliged to comply with all data protection provisions \nand applicable data protection regulations within the scope of his \nactivity and applies the necessary care to protect data. \n\nData protection violations detected by the reporter must be reported to \nthe client immediately. \n\nIn particular, the reporter must observe the data protection regulations \nand instructions of Swisscom. Deficits in the Swisscom security system \ndiscovered by the reporter must be reported to the client immediately. \n\n##### 5.9.3.2 Data secrecy\nThe reporter is also obliged to maintain data secrecy in all of his \nactivities for the client. Specifically, this means that the reporter \nkeeps all information, data and personal data known or entrusted to him \nsecret and does not pass it on to third parties. \n\nIn addition to maintaining data secrecy and secrecy, there are further \nconfidentiality obligations (such as the maintenance of business and \ntrade secrets, see point 5) that must be observed. \n\nThe abstract naming of a system vulnerability found is expressly not \ncovered by the data secrecy and the obligation to secrecy. However, the \ndesignation of the reporter may only be made after the removal by the \nclient. \n\n#### 5.9.4\tReporting obligation\nIf the reporter has the opportunity to access personal data or \nparticularly sensitive personal data, the reporter shall notify Swisscom \nimmediately in writing by email (Contact: \n[bug.bounty@swisscom.com](mailto:bug.bounty@swisscom.com)) or via our \nportal. \n\n#### 5.9.5\tConfidentiality\nThe reporter is obliged to keep all data, personal data and information \nreceived in connection with his consulting activity confidential and not \nto pass them on to third parties. \n\nThe abstract naming of a system vulnerability found is expressly not \ncovered by the obligation of secrecy. However, the name may only be \ngiven after Swisscom has remedied the vulnerability. \n\nIn addition, the reporter is obliged to treat business and manufacturing \nsecrets known to him confidentially and not to pass them on to third \nparties. The duty of confidentiality remains in place even after the \nconsultation contract has ended. \n\nThe reporter undertakes under no circumstances to establish direct or \nindirect contact and communication with the customers and customers of \nthe customer. \n\nAfter completing his consulting work, the reporter will return in full \nall physical and digital documents, documents and data that he received \nin the course of fulfilling this consulting contract. Copies of \ndocuments, data and documents may not be made. \n\n#### 5.9.6 Tax clause\nThe reporter is solely responsible for the correct taxation of fees \nreceived. In the event that the payments are subject to VAT, the client \nshows the VAT and the VAT is paid by the client. \n\nThe reporter furthermore guarantees that he will independently pay all \n(social) insurance contributions as well as all taxes and duties \nrequired by the applicable legislation for the provision of the advisory \nactivity. At the request of the client, the reporter will provide \nevidence of having met these obligations. \n\n#### 5.9.7 IP clause\nSwisscom is not claiming any ownership rights to your report. However, \nby providing any report to Swisscom, you: \n\n * grant Swisscom the following non-exclusive, irrevocable, perpetual, \nroyalty free, worldwide, sub-licensable license to the intellectual \nproperty in your report (i) to use, review, assess, test, and otherwise \nanalyze your report; (ii) to reproduce, modify, distribute, display and \nperform publicly, and commercialize and create derivative works of your \nreport and all its content, in whole or in part; and (iii) to feature \nyour report and all of its content in connection with the marketing, \nsale, or promotion of this Program or other programs (including internal \nand external sales meetings, conference presentations, tradeshows, and \nscreen shots of the Report in press releases) in all media (now known or \nlater developed); \n * agree to sign any documentation that may be required for us or our \ndesignees to confirm the rights you granted above; \n * understand and acknowledge that Swisscom may have developed or \ncommissioned materials similar or identical to your Report, and you \nwaive any claims you may have resulting from any similarities to your \nreport; \n * understand that you are not guaranteed any compensation or credit for \nuse of your report; and \n * represent and warrant that your report is your own work, that you \nhaven't used information owned by another person or entity, and that you \nhave the legal right to provide the report to Swisscom. \n\n\n#### 5.9.8\tBank account\nThe reporter has to name a bank account for the processing. It is \nessential that the reporter himself, as an individual, is the recipient \nof the payment. If the reporter names a company account, he/she must be \nnamed as recipient. The use of a company account for this private \npurpose is in the responsibility of the reporter. He/she must obtain the \nappropriate permission from the respective company. Swisscom is not \nobliged to do so. \n\n#### 5.9.9\tGeneral provisions\nChanges and additions to this agreement, including this provision, are \nonly possible by means of a written agreement signed by both parties. \n\nShould any provision of this consultancy agreement be invalid or \nunenforceable, this shall not affect the validity of the remaining \nprovisions of this agreement. The invalid or unenforceable provision is \nto be replaced by a valid provision that comes as close as possible to \nthe economic purpose of the invalid or unenforceable provision. \n\nThis agreement is subject to Swiss substantive law. The exclusive place \nof jurisdiction for all disputes arising from or in connection with this \nconsulting contract is the Swisscom headquarters. Mandatory places of \njurisdiction are reserved. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisscom%2Fbugbounty","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fswisscom%2Fbugbounty","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisscom%2Fbugbounty/lists"}