Liechtenstein National Administration (LLV) - VDP

Description

The Liechtenstein National Administration (LLV) provides all public services for the citizens, businesses, and financial sector of the Principality of Liechtenstein. As one of the most digitally advanced nations in Europe, the LLV operates a diverse portfolio of applications, ranging from national eID infrastructure and e-health services to complex platforms for international data exchange. We are committed to innovation and the highest security standards to ensure Liechtenstein's digital sovereignty and to protect the data of our citizens and corporate entities.

Rules

The Liechtenstein National Administration operates various services (Platforms, Services). All publicly available digital content owned by the Liechtenstein State Administration, or operated or maintained by it (this also includes the eID.li app for iOS and Android, which is available in the Apple App Store and Google Play). All other domains or explicitly listed services are therefore do not fall under the Legal Safe Harbor Agreement.

By participating in this Program, Friendly Hackers undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. You also agree not to publish the vulnerability found after reporting it on the platform, unless you have obtained written permission from Liechtenstein National Administration. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of the Program, to delete any local copies afterwards and not to distribute them further.

Hacking Methods

In participating in the program, ethical hackers agree not to use methods that would adversely affect the tested applications or their users. These methods include:

Social engineering
Spamming
Phishing
Denial-of-service attacks or other brute force attacks
Physical attacks

In addition to the prohibited hacking methods listed above, Friendly Hackers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.

Automated Tooling

Max. 5 requests/sec

Request Header

X-GObugfree-Username: {Username}

Qualified Vulnerabilities

Any design or implementation problem can be reported that is reproducible and affects security.

Typical examples:

Cross Site Request Forgery (CSRF)
Cross Site Scripting (XSS) – Only if a security impact can be demonstrated. A simple alert box is not sufficient.
Insecure Direct Object Reference
Remote Code Execution (RCE) - Injection Flaws
SQL Injection (SQLi)
Server-Side Request Forgery (SSRF)
Information Leakage and Improper Error Handling
Unauthorized access to properties or accounts

Other examples:

Data/information leaks
Possibility of data/information exfiltration
Backdoors that can be actively exploited
Potential for unauthorized system use
Misconfigurations

Non-Qualified Vulnerabilities

The following vulnerabilities and forms of documentation are generally not wanted and will be rejected:

Attacks that require physical access to a user's device or unlikely user interaction
Forms with missing CSRF tokens (unless the criticality exceeds CVSS level 5)
The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
Reports from automated tools or scans without explanatory documentation
Social engineering targeting individuals or entities of the organization
Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
Bots, spam, bulk registration
Submission of best practices that do not directly result in an exploitable vulnerability (e.g., missing security headers, TLS cipher suite selection, etc.)
Missing rate limiting without significant security impact
Vulnerabilities affecting users of outdated or unsupported browsers, platforms, or operating systems
Vulnerabilities affecting rooted devices or devices infected by malware
Vulnerabilities caused by manipulated versions of our apps
Recently disclosed 0-day vulnerabilities in libraries, components, and platforms
Design decisions that are publicly documented (e.g., in the Cryptography Whitepaper)
Self rXSS with no Security Impact
Leak of publicly available data
The eID.li Android application li.llv.eidli.app ships a PKCS12 client certificate anonymous.p12 and its password in assets/config.json. This Client Certificate Authenticates to Production mTLS Backend. This is not considered a vulnerability by the vendor.

Scope

Not in Scope

Please note that we use services from other companies and/or organizations for some parts of our systems and infrastructure. Vulnerabilities discovered or suspected in these systems shall be reported to the relevant provider or authority. Should these nevertheless be submitted via this channel, we forward the vulnerability to the relevant organization. However, the owner of the IT system concerned remains responsible for the system and possible measures to remedy it.

In Scope

All publicly available digital content owned by the Liechtenstein State Administration, or operated or maintained by it (this also includes the eID.li app for iOS and Android, which is available in the Apple App Store and Google Play).

Legal

The organisation gives their approval for security researchers to use hacking methods based on the specified briefing. Due to this consent, the criminal liability criterion of unauthorized obtaining/unauthorized use and thus the criminal liability of the security researchers with regard to the criminal offenses in Art. 143 Swiss Criminal Code (Unauthorised obtaining of data) and Art. 143bis Swiss Criminal Code (Unauthorised access to a data processing system) does not apply.