Boozt invites you to help enhance our security. We value your expertise in identifying vulnerabilities. We're serious about security and eager to collaborate. Join us in making a difference.

Response Targets

Boozt will make its best effort to meet the following SLAs for hackers participating in our program:

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Follow HackerOne's disclosure guidelines.

How we determine severity of a report

After a report has been triaged by HackerOne, we will conduct an internal investigation to understand the impact of the vulnerability on our customers; the final severity will always factor in an assessment of how the issue affects our customers. Issues that can only be leveraged to attack one's own account will have their severity score or applicability reflect this.

Reports for security issues that aren't vulnerabilities in our systems might receive a bounty based on our assessment of the impact of the finding.

Targets

We invite you to identify and report security vulnerabilities in our core services, specifically our primary websites and the associated payment gateway, Kronor. The following targets are within the scope of this program:

Core applications: these are our websites and companion mobile applications.

1. Web applications:

   1. www.boozt.com
   2. www.booztlet.com

2. Mobile applications:

   1. com.boozt.app / com.boozt
   2. com.boozt.booztlet / com.booztlet

Kronor, a payment gateway serving merchants in the nordics.

1. https://kronor.io/v1/graphql
2. https://payment-gateway.kronor.io
3. https://kronor.io/cde/gql

We are interested in both isolated vulnerabilities in these endpoints and issues related to the integration of these endpoints with our websites and mobile applications.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When reporting vulnerabilities, please consider attack scenario, exploitability, and security impact of the bug on our customers.
• When duplicates occur, we only award the first fully reproducible report that we receive.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. This also applies in the case of the vulnerability affecting both Boozt and Booztlet domains.
• If you require an account with our services to showcase a vulnerability, please use your @wearehackerone.com email when registering.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

The following are prohibited:

• Social engineering (phishing, vishing, smishing).
• Public or third-party disclosure before resolution.

Eligibility Requirements:

• First reporter of a specific vulnerability.
• Clear textual description and reproduction steps.
• Responsible disclosure.
• Testing only on owned accounts.

In addition to the above consideration, you are not eligible for the program if you are a current or former Boozt Group employee or consultant.

Out of Scope

Please note that any vulnerabilities found in third-party libraries or frameworks used by any of the targets are not in scope for this program, unless they directly impact the security of the target applications.

The following issues are considered out of scope:

• Best practice concerns: evidence of a security issue is required.
• Issues that can only be leveraged to attack one's own account.
• Vulnerabilities allowing to obtain infinite "Boozter" points or circumventing validation on the amount of points when purchasing a "Boozter"
• Clickjacking on pages with no sensitive actions.
• Attacks requiring MITM or physical access to a customer's device.
• Use of known vulnerable libraries without a working proof of concept showcasing leverage of that vulnerability.
• CSV injection without demonstrating a vulnerability.
• Any vulnerability affecting the availability of Boozt systems (e.g. denial of service vulnerabilities).
• Missing HttpOnly or Secure flags on cookies.
• Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).
• Software version disclosure.
• Public 0-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.
• Tabnabbing.
• Open redirect - unless an additional security impact can be demonstrated.
• Sessions being hijacked because of insecure protocol use.
• Reports from automated tools or scans.
• Spam techniques.
• Code obfuscation in mobile applications.
• Issues relating to password policies.
• Race conditions that don't compromise the security of Boozt or our customers.
• Issues that require unlikely customer interaction.
• Issues related to hardcoded vendor tokens on mobile applications which don't compromise the security of Boozt or our customers.
• User enumeration vulnerabilities.

Known issues

The following issues are known to us and are being actively worked on. We consider them to be out of scope while remediation is in progress.

• Cross-Site Request Forgery (CSRF) vulnerabilities on the /api/me/favorites endpoint.
• Issues related to mobile application authentication tokens.
• Brute-force issues, in particular with authentication endpoints.
• Issues on Android apps affecting Webviews.

Jailbroken or rooted devices

Any issue in our mobile applications that can only be exploited on a jailbroken or rooted device will be considered out of scope.

Changelog

We will keep this section regularly updated with changes to our assets that might have relevant security implications.

Q2 2025

• New OAuth based authentication flow for mobile applications
• Tighter integration with Keychain for secrets in iOS applications

Thank you for helping keep Boozt and our customers safe!