Menu
Eurofins >> Report a Security Vulnerability

Report a security vulnerability

Eurofins takes cybersecurity seriously and values the contributions of the security community and security researchers. We are committed to engage with anyone reporting security vulnerabilities in a positive, professional, mutually beneficial manner that protects the Eurofins Group and our customers.

Eurofins operates a coordinated disclosure policy for disclosing vulnerabilities and other security issues. If you are aware of a security vulnerability that could affect the Eurofins Group or any of our assets, please contact us via the link disclosed under "How to Report a Security Vulnerability". 

Hall of Fame

Eurofins operates a Hall of Fame where we express our sincere thanks to security researchers who ethically report security issues to us. You can find our Hall of Fame here.

Rules of Engagement

Prior to reporting, please review the below items for program rules, in and out of scope vulnerabilities/applications.

  • Submit your report in English language.
  • Do not discuss or disclose any vulnerabilities (even resolved ones) and keep them in full confidentiality without prior explicit written consent from Eurofins.
  • Do not infringe any applicable intellectual property rights or trade secrets, laws or regulations.
  • Do provide as much information as possible about the potential issue you have discovered with reproducible steps.
  • Make a good faith effort to avoid privacy violations (incl. any personal data protection breaches), destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Remove all Eurofins Confidential Information, including Personal Data you got from the analysis once the report is resolved.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Do not act so as to compromise safety of Eurofins services and/or Eurofins operation.
  • Do not lock, disclose, destroy or compromise integrity of Eurofins and its customers and partners data
  • Eurofins will treat submitted reports confidentially and will not share the researcher's personal details with third parties without their authorization, unless required in order to do so to comply with legal obligations.
  • Eurofins does not operate a bug bounty and does not pay any bounties.
  • Eurofins will add you to our Hall of Fame for any confirmed vulnerability on your request.

When reporting vulnerabilities, please consider the attack scenario / exploitability (likelihood), and possible security impact of the bug. The following issues are considered out of scope:

  • Testing third-party applications, websites, or services that integrate with or link to Eurofins properties.
  • Missing http security headers which do not lead to a vulnerability.
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
  • Login/logout CSRF.
  • Password and account recovery policies, such as reset link expiration or password complexity.
  • Clickjacking without an impact.
  • Content spoofing / reflection / injection (on 404 page, search result page etc.) unless executes code.
  • Known-vulnerable library (without evidence of exploitability).
  • Certain reports of spam.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
  • Low impact host header issues.
  • Hard to exploit SSL/TLS protocol vulnerabilities, Missing best practices in SSL/TLS configuration.
  • Rate limiting or brute-force issues on non-authentication endpoints.
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application, or server errors).
  • Tabnabbing.
  • Open redirect - unless an additional security impact can be demonstrated.
  • Open ports which do not lead directly to a vulnerability.
  • Reports from automated tools or scans without a working Proof of Concept.
  • Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset.
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  • Email enumeration.
  • Cookie and logout policies.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Vulnerabilities which require a jailbroken device.
  • API keys found in our mobile applications.
  • Attacks requiring physical access to a user's device or Attacks requiring MITM.
  • Physical security of Eurofins facilities, employees, equipment, etc.
  • Tests in a manner that would corrupt the operation of Eurofins solutions.
  • Issues that require unlikely user interaction.

Under very rare conditions Eurofins might consider specific submissions out of scope or not qualifying for a valid vulnerability, based on internal knowledge (e.g. risk acceptance) or based on duplicate internal/external submissions.

You can submit a security vulnerability via this form. Please remember to adhere to the preceding rules of engagement and submit as much information as possible to allow us to reproduce and validate your finding.

Thank you for helping keep Eurofins and our customers safe!