Security Disclosure Policy

This page describes how to responsibly report a vulnerability. We greatly appreciate all endeavors in helping us secure our platform.

How to report vulnerabilities:
Send an email to security@seetickets.nl describing a security issue within scope.

Domain scope:
The web services that are part of our ticketing system primarily operate on the domains *.paylogic.com, *.paylogic.nl and *.paylogic.eu.

In addition, we own and host the following list of domains, which mostly forward to our corporate website www.paylogic.com:

accepte.eu, accepte.net, accepte.nl, accepteholding.com, eelogic.nl, paylogic-asia.com, paylogic-international.com, paylogic-ticketing.com, paylogic-tickets.com, paylogic.asia, paylogic.at, paylogic.be, paylogic.bg, paylogic.ch, paylogic.co.th, paylogic.com, paylogic.com.ar, paylogic.com.br, paylogic.com.mx, paylogic.com.tr, paylogic.com.tw, paylogic.cz, paylogic.de, paylogic.dk, paylogic.es, paylogic.eu, paylogic.fr, paylogic.gr, paylogic.hu, paylogic.ie, paylogic.it, paylogic.jp, paylogic.kr, paylogic.lt, paylogic.lu, paylogic.lv, paylogic.mobi, paylogic.mx, paylogic.nl, paylogic.org, paylogic.pl, paylogic.rs, paylogic.se, paylogic.si, paylogic.tw, paylogic.uk, paylogicasia.com, paylogicinternational.com, paylogics.net, paylogics.nl, paylogicticketing.com, paylogictickets.be, paylogictickets.com, paylogictickets.de, paylogictickets.eu, paylogictickets.fr, paylogictickets.lu, paylogictickets.nl, scanware.nl, sea-ticket.nl, sea-tickets.nl, seatickets.nl, see-tickets.nl, see.nl, seeticket.nl, ticketware.nl, werkenbijpaylogic.nl and workingatpaylogic.com.

Vulnerability scope:
- high or critical severity or score (CVSS)
- potentially disruptive
- unattended exposure of sensitive data

What to report:
- description and link to the CVE if possible
- affected subdomains or FQDNs
- how to reproduce
- we are open to hearing your ideas about improvements

A team of security engineers will analyze the issue, and if it turns out to be notable, we will get back to you within a few working days.

Bug Bounty:
See Tickets currently does not offer a paid bug bounty program, however there is a discussion about implementing it.
We would like to thank and acknowledge those who invested time and effort into responsibly reporting their findings to us.

Hall of Fame:
omri.bounty@gmail.com - found a stale DNS record pointing to Amazon IP we don't use anymore enabling an attacker to potentially misuse accounts