Program rules

Owned by Petteri Kivimäki
Last updated: May 16, 2023
2 min read

Vulnerability reports are submitted to the X-Road Service Desk using the Bug Bounty request type. In order to access the X-Road Service Desk, sign up for an account.

  • Please include detailed steps to reproduce the issue in your vulnerability reports. Please remember to include any relevant X-Road configuration details, especially those that have been changed from their default or recommended values. Reports that cannot be reproduced by the X-Road team will not be eligible for bounties.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Additionally, any known issues will not be eligible for bounties. Known issues can be found on the public X-Road backlog. Note that details about serious security issues are sometimes hidden from the public backlog and replaced with placeholders, such as this issue. In these cases, details about the vulnerability will not be accessible to the public, so please submit your findings to this program and we will inform you whether or not they are already known.

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Please use only the latest versions of each X-Road component in your testing environment. Issues found in outdated versions of X-Road, or on unsupported platforms, will not be eligible for bounties, unless the issue can be reproduced in the latest version. A list of supported platforms can be found in the release notes for each version of X-Road.

  • Please perform all testing in an environment that you are authorized to test. NIIS cannot provide authorization to test against production instances of X-Road, as these instances are owned and operated by third parties. Instructions on how to set up your own personal X-Road environment can be found here.

  • Participation in this program by NIIS employees and contractors is prohibited for the duration of their employment or contract with NIIS, and for a period of two years thereafter. Additionally, any vulnerability submitted to this program that is traced back to code contributed by the researcher who reported it will not be eligible for a bounty.