Bounty Programma

Introduction and its subsidiary,, are committed to maintaining the security and privacy of our users' data. To encourage the security research community to help us identify potential vulnerabilities, we have established a Bug Bounty Program.


The following domains are in the scope of this Bug Bounty Program:


Eligible Vulnerabilities

We are interested in receiving reports on the following types of vulnerabilities:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • SQL injection
  • XML external entity (XXE) injection
  • Remote code execution (RCE)
  • Privilege escalation
  • Authentication bypass
  • Access control vulnerabilities
  • Information disclosure
  • Insecure direct object references (IDOR)
  • Security misconfigurations
  • Business logic vulnerabilities

Please note that this list is not exhaustive. We encourage researchers to report any security vulnerability they discover.


The following types of vulnerabilities are not eligible for rewards:

  • Social engineering attacks (e.g., phishing, vishing)
  • Physical attacks against FestivalCadeau infrastructure or employees
  • DDoS attacks
  • Vulnerabilities affecting outdated or unsupported software
  • Vulnerabilities affecting third-party applications or services
  • Vulnerabilities already known to us or previously reported

Submission Guidelines

To submit a vulnerability, please follow these guidelines:

  1. Send your report to with the subject line "Bug Bounty Submission."
  2. Provide a clear and concise description of the vulnerability, including the affected domain, the type of vulnerability, and steps to reproduce it.
  3. Include any relevant screenshots, videos, or proof-of-concept code to support your report.
  4. Provide your contact information for any follow-up questions or clarifications.
  5. Do not publicly disclose the vulnerability until we have resolved the issue and explicitly given you permission to do so.

Responsible Disclosure

We ask that researchers follow responsible disclosure practices, including:

  • Allowing us a reasonable amount of time to fix the vulnerability before publicly disclosing it.
  • Not exploiting the vulnerability for any purpose other than verifying its existence.
  • Not causing any harm to FestivalCadeau systems or data, or violating the privacy of our users.

We reserve the right to modify or discontinue this Bug Bounty Program at any time, and to determine the eligibility and reward amount for each submission. By participating in the program, you agree to these terms and conditions.

Thank you for your contribution to the security of and We look forward to working together to keep our platforms safe and secure.


Our rewards are based on the severity of the vulnerability and its potential impact on our users. The minimum reward for eligible vulnerabilities is €100,- and the maximum reward is €1500,-. The final amount will be determined at our discretion, based on the CVSS score and other relevant factors.