DenMarket Bug Bounty Program
Defend Denmark runs coordinated security testing for DenMarket, an online marketplace. We invite researchers to find and responsibly report vulnerabilities so we can fix them before they hurt our users.
Scope
✅ In scope
*.denmarket.dk— all subdomains and services of the DenMarket platform
⛔ Out of scope
- This portal —
hack.denmarket.dk— is OUT of scope. Do not test the submission platform itself. - The underlying server / VPS, its SSH, and the hosting provider
- Any host or service outside
denmarket.dk - Denial of service, volumetric/automated scanning that degrades the service
- Social engineering of staff or other researchers
Rules of engagement
- Only test in-scope targets. If you can’t tell whether something is in scope, ask first.
- Don’t pivot from the marketplace into the host OS network beyond demonstrating impact, and don’t attack other researchers.
- Use your own test accounts. Don’t access, modify, or destroy data you don’t own beyond the minimum needed to prove a finding.
- No DoS, no spam, no mass exploitation. Keep automated traffic gentle.
- Keep findings confidential until they’re resolved and we say it’s OK to share.
How findings are judged
There are no flags. You demonstrate impact with a clear writeup and a proof artifact — the concrete evidence that you achieved the impact, e.g.:
- For data exposure: the leaked value (a password hash you dumped, another user’s data).
- For RCE: the contents of a server-side proof token we’ve planted, or command output.
- For access-control bugs: evidence you reached a resource that isn’t yours.
Reports are scored on impact, clarity, and reproducibility. A great writeup that lets us reproduce and fix the issue beats a vague high-severity claim.
| Severity | Typical examples |
|---|---|
| Critical | RCE, full admin takeover, mass data exposure |
| High | SQLi, auth bypass, SSRF to internal secrets |
| Medium | Stored XSS, IDOR, CSRF on sensitive actions |
| Low | Reflected XSS, user enumeration, info leaks |
| Info | Best-practice notes, hardening suggestions |
How to participate
- Sign up with a username — you’ll get a long-lived API token. Save it; it’s shown once.
- Hack the in-scope targets.
- Submit a report for each finding with steps and your proof artifact.
- Track status under My reports as we triage.
Questions during the event? Grab an organizer or email security@denmarket.dk.