LocalTapiola

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
Private Target 001 OTHER high high high critical
This is a private target. If your are not eligible to submit - DO NOT. The wrath of n/a will immediately be laid upon thee. No begging, hustling or peddling for invites.
myynti.lahitapiolarahoitus.fi URL medium high high critical
This service is an extranet-service for our partners. This service has a few read-only backend integrations. To be able to log on, you need a partner account. No demo accounts are available. Very limited amounts of customer information is stored in this service. Any issues with confidentiality are interesting to us, as well as *cunning and clever* spoofing. Scanning for low value things is not a successful bounty strategy as we will not accept any best practice reports. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked and put on the naughty list. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded. Other domains on this ip are out of scope.
secure.lahitapiola.fi URL low high medium critical
This domain is designed to send emails. It is by design that it accepts all kinds of sender and receiver addresses, including lahitapiola addresses. Because it is an email-service, there is an smtp server. That is also by design. Sending emails to root or other localhost users is not an issue. Also as a reminder - SSL/TLS, DNS and email best practices (DMARC etc.) and all theoretical hardening trick and tips without any real life business case will be closed as n/a. This service is hosted and segregated outside of any critical infrastructure. Besides any potential data sent between two parties, there is no privacy related personal data stored on the server. The service is not critical for daily operations. Things that might be interesting to us (not an exhaustive list) - Using the smtp server to relay spam - Leaking the actual contents of another users email - Modifying contents or attachments of another user No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded. NOTE: as of May 2018, there will be no public disclosures of any of the reports in this domain.
verkkopalvelu.tapiola.fi URL high high high critical
This is our service portal for customers. This site contains customer information which is only accessible to customers. We are primarily interested in issues that are a direct threat to the integrity of our customers or their information - meaning stealing information, modifying information or deleting information. Also privacy issues are high on our list of critical issues. To be a successful reporter, you need to have an account on this website and understand the basics of the industry we do business in. If you want to understand our reasoning behind assessing reports, read up on risk management to understand the basic concepts of impact and probability. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded. There are no demo or test accounts.
viestinta.lahitapiola.fi URL low medium medium critical
This is another (and very much secondary) public website. It is built using both customized off-the-shelf tools (you can find out which tools by reading disclosed reports!). This site does (and should not) contain any customer information. We are interested in issues affecting continuity and integrity, misconfigurations that might lead to phishing or other attacks against our customers. Planting misinformation or using our public website for sharing malware would be a serious issue. If you understand what a public website is, in which country we operate in and the basics of the industry we do business in you will have a better chance of submitting reports successfully. If you want to understand our reasoning behind assessing reports, read up on risk management to understand the basic concepts of impact and probability. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
www.lahitapiola.fi URL high medium high critical
This is our public website. It is built using both customized off-the-shelf tools as well as custom code. This site does (and should not) contain any customer information. We are interested in issues affecting continuity and integrity, misconfigurations that might lead to phishing or other attacks against our customers. Planting misinformation or using our public website for sharing malware would be a serious issue. If you understand what a public website is, in which country we operate in and the basics of the industry we do business in you will have a better chance of submitting reports successfully. If you want to understand our reasoning behind assessing reports, read up on risk management to understand the basic concepts of impact and probability. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
www.lahitapiolarahoitus.fi URL low low medium high
This service is a portal which contains purely marketing and informational data. This service has no direct connections nor integrations to any critical backend systems. All data is public and the domain does not contain any sensitive, personal or privacy-related data. If such data would be found - in medium to large quantities, that would be considered serious. Other things we would consider interesting is serious and working phishing schemes as well as using this domain for serious and real life spoofing. The site is published using Wordpress - we know that. Hence all issues that can be found using default nmap-wordpress scripts are already known. That includes the fact that /wp-admin is there. We know, and it will be fixed. Everything under wp-admin is thus a known issue (unless you want to burn a 0 day in our program). Scanning for low value things is not a successful bounty strategy as we will not accept any best practice reports. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked and put on the naughty list. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded. Other domains on this ip are out of scope.
www.tapiola.fi URL medium medium medium critical
This is another entry point to our public website https://www.lahitapiola,fi. Do NOT copy your report on both domains and always PRIMARILY report on the www.lahitapiola.fi -asset. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
yrityspalvelu.tapiola.fi URL high high high critical
This is our service portal for corporate users. This site contains customer information which is only accessible to corporate customers. We are primarily interested in issues that are a direct threat to the integrity of our customers or their information - meaning stealing information, modifying information or deleting information. To be a successful reporter, you need to have an account on this website and understand the basics of the industry we do business in. If you want to understand our reasoning behind assessing reports, read up on risk management to understand the basic concepts of impact and probability. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded. There are no demo or test accounts.
1439784468 APPLE_STORE_APP_ID low medium medium critical
This is the LemmikkiHelppi -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://itunes.apple.com/fi/app/lemmikkihelppi/id1439784468?mt=8. Nore: If your device is rooted, a findings are automatically out of scope.
Private Target 002 OTHER medium medium medium critical
This is for invited hackers only. Do not report to this unless instructed to do so. Do not beg for invites.
ext-gw.lahitapiola.fi URL low high high critical
This domain contains API's which are part of newly developed services. This domain is used by applications.
motorfnol.lahitapiola.fi URL high high high critical
lisasijoitus.lahitapiola.fi URL medium high high critical
This is a service where you can make additional online payments to investment insurance (AOL). Access to this service is through Varainhoidon verkkopalvelu (https://www.lahitapiola.fi/henkilo/sijoitukset-ja-varainhoito/kirjaudu-rahastojen-ja-varainhoidon-verkkopalveluun).
sijoitusvakuutus.lahitapiola.fi URL medium high high critical
This is a service for buying "Korkoetu" investment insurance. It is accessed from the Elämänturva mobile application.
verovelvollisuustiedot.lahitapiola.fi URL medium high high critical
This application is for reporting Fatca-information. This is a service that can be accessed directly using the URL.
Private Target 003 OTHER low medium medium critical
This is a private target. If you are not invited to this target and submit to this asset, you will automatically be awarded a n/a. Please respect this.
1298908406 APPLE_STORE_APP_ID medium high high critical
This is the Terveyshelppi -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://apps.apple.com/fi/app/terveyshelppi/id1298908406 Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.
1464156398 APPLE_STORE_APP_ID medium high high critical
This is the Elämänturva -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://apps.apple.com/fi/app/l%C3%A4hitapiola-el%C3%A4m%C3%A4nturva/id1464156398 Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.
fi.lahitapiola.lemmikkihelppi GOOGLE_PLAY_APP_ID low medium medium critical
This is the LemmikkiHelppi -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://play.google.com/store/apps/details?id=fi.lahitapiola.lemmikkihelppi&hl=en Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.
fi.lahitapiola.lls GOOGLE_PLAY_APP_ID medium high high critical
This is the Elämänturva -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://play.google.com/store/apps/details?id=fi.lahitapiola.lls&hl=en Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.
fi.lahitapiola.mobile GOOGLE_PLAY_APP_ID medium high high critical
This is the Terveyshelppi -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://play.google.com/store/apps/details?id=fi.lahitapiola.mobile&hl=en Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.lahitapiola.com URL none
Not a LocalTapiola domain.
*.lahitapiola.fi URL none
No relevant services registered unless explicitly listed as in scope in other assets.
*.localtapiola.com URL none
No relevant services registered.
*.tapiola.com URL none
Redirects to .fi equivalents or is running identical software as the .fi domains.
ANYTHING NOT LISTED AS IN-SCOPE OTHER none
Due to the misconception that anything NOT LISTED explicitly as out of scope would for some reason be in scope, this asset is added. This is purely a placeholder for making a point very clear: #ANYTHING NOT LISTED AS IN SCOPE IS OUT OF SCOPE, AND REPORTS TOWARDS ANYTHING OUT OF SCOPE RISK BEING CLOSED AS NOT APPLICABLE. ## ASSETS SPECIFICALLY LISTED AS OUT-OF-SCOPE ARE JUST AS OUT OF SCOPE AS ANYTHING NOT LISTED AS IN-SCOPE. Confusing? Not really. Think of the out of scope list as a list where we want to explain more in detail why it is out of scope.
email.lahitapiola.fi URL none
Third party service located outside of critical resources. Service is not critical and does not contain critical information. Assessment is based on LocalTapiola risk management processes and is not open for discussion.
hallintoportaali.lahitapiola.fi URL none
Third party service located outside of critical resources. Service is not critical and does not contain critical information. Assessment is based on LocalTapiola risk management processes and is not open for discussion.
jasenet.hr-palvelut.com URL low high high none
##THIS DOMAIN IS REMOVED FROM THE BUG BOUNTY PROGRAM UNTIL FURTHER NOTICE. CURRENT REPORTS WILL BE DULY PROCESSED The criticality of this domain is medium, meaning scanning for low value things is not a successful bounty strategy. The domain does contain sensitive and personal data. Any other subdomains related to or seemingly related to or visually similar to this domain are NOT in scope and will NOT be processed so do not scan or test those. Best practices reports will not be processed, including reports about configurations related to error pages, headers or ssl/tls configurations. Circumventing authentication or authorization mechanisms and leaking personal data is very interesting to us. All kinds of DoS-related reports will be dismissed. There are no test accounts in this system - for you to log on, you need to be an actual registered user.
lml.lahitapiola.fi URL none
Third party service located outside of critical resources. Service is not critical and does not contain critical information. Assessment is based on LocalTapiola risk management processes and is not open for discussion.
omatalous.lahitapiola.fi URL none
Third party service located outside of critical resources. Service is not critical and does not contain critical information. Assessment is based on LocalTapiola risk management processes and is not open for discussion.
tandem.lahitapiola.fi URL none none none none
DO not report. Reports will be closed as N/A.
tandemkirje.lahitapiola.fi URL none
DO not report. Reports will be closed as N/A.
toimitilat.lahitapiola.fi URL low low medium none
The criticality of this domain is medium, meaning scanning for low value things is not a successful bounty strategy. The domain does not contain any sensitive, personal or privacy-related data. If such data would be found - in medium to large quantities, that would be considered serious. Other things we would consider interesting is serious and working phishing schemes as well as using this domain for serious and real life spoofing. NOTE: We have had previous reports on this domain - both accepted and closed as out of scope. History is in the past - old reports WILL NOT be reopened and they will not have priority - everyone will start from square one and send in new reports.
Private Target 001 OTHER high high high none
This is a private target. If your are not eligible to submit - DO NOT. The wrath of n/a will immediately be laid upon thee. No begging, hustling or peddling for invites.
www.lahitapiolarahoitus.fi URL low low medium none
This service is a portal which contains purely marketing and informational data. This service has no direct connections nor integrations to any critical backend systems. All data is public and the domain does not contain any sensitive, personal or privacy-related data. If such data would be found - in medium to large quantities, that would be considered serious. Other things we would consider interesting is serious and working phishing schemes as well as using this domain for serious and real life spoofing. The site is published using Wordpress - we know that. Hence all issues that can be found using default nmap-wordpress scripts are already known. That includes the fact that /wp-admin is there. We know, and it will be fixed. Everything under wp-admin is thus a known issue (unless you want to burn a 0 day in our program). Scanning for low value things is not a successful bounty strategy as we will not accept any best practice reports. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked and put on the naughty list. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded. Other domains on this ip are out of scope.
authenticate.lahitapiola.fi URL none
This is a shared SaaS-service. This domain is part of authentication but no hacking attempts are allowed.
tunnistus.lahitapiola.fi URL none
This is a shared SaaS-service. This domain is part of authentication but no hacking attempts are allowed.