Instruction: This is the Terveyshelppi -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://apps.apple.com/fi/app/terveyshelppi/id1298908406
Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.
Integrity requirements: high
Max severity: critical
Asset identifier: 1439784468
Asset type: APPLE_STORE_APP_ID
Availability requirement: low
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is the LemmikkiHelppi -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://itunes.apple.com/fi/app/lemmikkihelppi/id1439784468
Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.
Integrity requirements: low
Max severity: high
Asset identifier: api.lahitapiola.fi
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is a common API gateway that is used by various services in the LähiTapiola ecosystem. Thread carefully - no DoSsing or unnecessary asshattery.
Integrity requirements: high
Max severity: critical
Asset identifier: asiointi.lahitapiola.fi
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This service is part of the customer engagement layer - a new customer self service portal.
This site contains customer information which is only accessible to customers. We are primarily interested in issues that are a direct threat to the integrity of our customers or their information - meaning stealing information, modifying information or deleting information. Also privacy issues are high on our list of critical issues.
To be a successful reporter, you need to have an account on this website and understand the basics of the industry we do business in. If you want to understand our reasoning behind assessing reports, read up on risk management to understand the basic concepts of impact and probability.
No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
There are no demo or test accounts.
Integrity requirements: high
Max severity: critical
Asset identifier: ext-gw.lahitapiola.fi
Asset type: URL
Availability requirement: low
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This domain contains API's which are part of newly developed services. This domain is used by applications.
Integrity requirements: high
Max severity: critical
Asset identifier: fi.lahitapiola.lemmikkihelppi
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement: low
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is the LemmikkiHelppi -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://play.google.com/store/apps/details?id=fi.lahitapiola.lemmikkihelppi&hl=en
Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.
Integrity requirements: low
Max severity: high
Asset identifier: fi.lahitapiola.mobile
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement: medium
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is the Terveyshelppi -application. We are mainly looking for critical information leaks (not version numbers or similar low value) and threats to either the customer or the customer s device. The app can be found here: https://play.google.com/store/apps/details?id=fi.lahitapiola.mobile&hl=en
Note: If exploitation requires that the device is rooted, the finding is automatically out of scope.
Integrity requirements: high
Max severity: critical
Asset identifier: lisasijoitus.lahitapiola.fi
Asset type: URL
Availability requirement: medium
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is a service where you can make additional online payments to investment insurance (AOL). Access to this service is through Varainhoidon verkkopalvelu (https://www.lahitapiola.fi/henkilo/sijoitukset-ja-varainhoito/kirjaudu-rahastojen-ja-varainhoidon-verkkopalveluun).
Lisätietoa suomeksi:
Jotta voisit käyttää tätä palvelua, pitää sinulla olla sijoitusvakuutus
- jossa ei ole sijoituskohteena Kiinteistö-sijoitussalkkua
- jossa ei ole Korkoetu-sijoituskohdetta
Integrity requirements: high
Max severity: critical
Asset identifier: myynti.lahitapiolarahoitus.fi
Asset type: URL
Availability requirement: medium
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This service is an extranet-service for our partners. This service has a few read-only backend integrations. To be able to log on, you need a partner account. No demo accounts are available. Very limited amounts of customer information is stored in this service. Any issues with confidentiality are interesting to us, as well as *cunning and clever* spoofing.
Scanning for low value things is not a successful bounty strategy as we will not accept any best practice reports. No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked and put on the naughty list. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
Other domains on this ip are out of scope.
Integrity requirements: high
Max severity: critical
Asset identifier: privatetarget-1-www.zigzag
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Private target: www
Integrity requirements: low
Max severity: medium
Asset identifier: privatetarget-2-secure.zigzag
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Private target: secure
Integrity requirements: high
Max severity: critical
Asset identifier: secure.lahitapiola.fi
Asset type: URL
Availability requirement: low
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This domain is designed to send emails. It is by design that it accepts all kinds of sender and receiver addresses, including lahitapiola addresses. Because it is an email-service, there is an smtp server. That is also by design. Sending emails to root or other localhost users is not an issue. Also as a reminder - SSL/TLS, DNS and email best practices (DMARC etc.) and all theoretical hardening trick and tips without any real life business case will be closed as n/a.
This service is hosted and segregated outside of any critical infrastructure. Besides any potential data sent between two parties, there is no privacy related personal data stored on the server. The service is not critical for daily operations.
Things that might be interesting to us (not an exhaustive list)
- Using the smtp server to relay spam
- Leaking the actual contents of another users email
- Modifying contents or attachments of another user
No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
NOTE: as of May 2018, there will be no public disclosures of any of the reports in this domain.
Integrity requirements: medium
Max severity: critical
Asset identifier: sijoitusvakuutus.lahitapiola.fi
Asset type: URL
Availability requirement: medium
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is a service for buying "Korkoetu" investment insurance. It is accessed from the Elämänturva mobile application.
Integrity requirements: high
Max severity: critical
Asset identifier: tunnistus.lahitapiola.fi
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is a shared SaaS-service. This domain is part of authentication.
Integrity requirements: high
Max severity: critical
Asset identifier: verkkopalvelu.tapiola.fi
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is our service portal for customers. This site contains customer information which is only accessible to customers. We are primarily interested in issues that are a direct threat to the integrity of our customers or their information - meaning stealing information, modifying information or deleting information. Also privacy issues are high on our list of critical issues.
To be a successful reporter, you need to have an account on this website and understand the basics of the industry we do business in. If you want to understand our reasoning behind assessing reports, read up on risk management to understand the basic concepts of impact and probability.
No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
There are no demo or test accounts.
Instruction: This application is for reporting Fatca-information. This is a service that can be accessed directly using the URL.
Integrity requirements: high
Max severity: critical
Asset identifier: www.lahitapiola.fi
Asset type: URL
Availability requirement: high
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is our public website. It is built using both customized off-the-shelf tools as well as custom code. This site does (and should not) contain any customer information. We are interested in issues affecting continuity and integrity, misconfigurations that might lead to phishing or other attacks against our customers. Planting misinformation or using our public website for sharing malware would be a serious issue.
If you understand what a public website is, in which country we operate in and the basics of the industry we do business in you will have a better chance of submitting reports successfully. If you want to understand our reasoning behind assessing reports, read up on risk management to understand the basic concepts of impact and probability.
No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
Integrity requirements: high
Max severity: critical
Asset identifier: www.tapiola.fi
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is another entry point to our public website https://www.lahitapiola,fi. Do NOT copy your report on both domains and always PRIMARILY report on the www.lahitapiola.fi -asset.
No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
Integrity requirements: medium
Max severity: critical
Asset identifier: yrityspalvelu.tapiola.fi
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is our service portal for corporate users. This site contains customer information which is only accessible to corporate customers. We are primarily interested in issues that are a direct threat to the integrity of our customers or their information - meaning stealing information, modifying information or deleting information.
To be a successful reporter, you need to have an account on this website and understand the basics of the industry we do business in. If you want to understand our reasoning behind assessing reports, read up on risk management to understand the basic concepts of impact and probability.
No automated portscanning or bruteforcing allowed - you will have very limited success and you will be blocked. Copy-pasted reports from vulnerability scanners or Kali-scripts where no business impact is proven will not be awarded.
There are no demo or test accounts.
