Posti Bug Bounty

Public Program | Posti | Posti Bug Bounty

We have launched the Bug Bounty program to find out critical security issues related to OmaPosti. With OmaPosti, you can track your parcels in real time and receive your letters and invoices immediately. Invoice payment is also easy. You can start using OmaPosti by registering to Posti’s consumer service register.

100€ - 10 000€

13.6.2022 - continually

About Posti

Posti is one of the leading delivery and fulfillment companies in Finland, Sweden and Baltics. We tend to the smoothness of our customers’ everyday lives and business by offering a wide range of postal, logistics, freight, and eCommerce services. We have the widest network coverage in Finland, and we visit around three million households and companies every weekday.

Key Points of the Program

The specific targets in scope of the program are listed in the reporting portal. Please login:

We implement bug bounties using reponsible disclosure, which means you need to follow some rules. Please read the rules before taking part in the program. Here are some key rules:

  • When you submit a vulnerability report, include all information and details necessary to duplicate and verify the issue. If we can't duplicate the issue, we can not reward you with a bug bounty.
  • By default, reported issues will not be disclosed.
  • Please act in good faith and do not endanger the availability of the service.
  • Please follow the law while researching.

The rules list the do's and don't do's of the program.

Note especially these rules:

  • Please follow the law. Finnish law is applied to this program.
  • Code injections to the backend systems (for example SQL-injection) where the data in the backend is changed or deleted, or read in unnecessary quantities are not allowed. Code injections themselves are allowed, the limitation is targeted towards the functionality and scope of the research and Proof of Concept code.
  • Do not use heavy automation or heavy volume automated scanners (such as, but not limited to, Nessus).
  • Social engineering or physical hacking methods are not in the scope of this program.
  • Denial of Service attacks are not allowed.
  • Actions and methods that cause, or will probably cause, disruption to the business are not allowed.
  • Any actions that threaten the security of an individual persons are not allowed.
  • If you suspect that your actions have caused disruptions or informations leakage - contact Hackrfi immediately.

The security and threat landscape is changing almost every day. Posti and Hackrfi Oy thank you for you work. We love working with you to make everybody more secure. We respect the time you have invested in this program, but also wish that you respect our service, response and fix times. Thank you!

Program rules Report a bug

Do you want to become a bug bounty hunter?

Create an account to our reporting portal, where you can submit reports to open programs.