Programs Vehicles · Manufacturing Wielton (wielton.com.pl)
Active Program $5,000 flat · validated critical Web · Configurator · Dealer Portal · APIs · Fleet · full mesh

Wielton (wielton.com.pl) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

Wielton at https://wielton.com.pl/en/ is one of Europe's largest manufacturers of semi-trailers, tippers, curtainsiders, and specialised vehicle bodies — shipping product configurators, dealer-portal backends, fleet-management tools, B2B quotation APIs, spare-parts catalogues, 3D visualisation engines, CRM pipelines, and logistics dashboards that span dozens of international subsidiaries. The entire Wielton-operated perimeter is in-scope with no artificial carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, tampered order or fleet state, SSRF egress, broken authz on dealer data, configurator-bypass traces — prose alone collapses payouts).

BountyHunter Editorial

Security Research Desk

Published
Reading time9 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~48h industrial manufacturing pattern
Blast radius High dealers · fleet · configs · CRM
Scope all Wielton-operated stacks
Proof bar Chain + PoC kill chain · attack succeeds
01 — Overview

Special-vehicle manufacturing surfaces worth pressure-testing

Wielton is a top-three European trailer group operating a heavily integrated digital estate — public product catalogues, authenticated dealer-portal backends, B2B configurators with pricing logic, fleet-management dashboards, CRM pipelines holding customer PII and order histories, spare-parts e-commerce modules, 3D trailer visualisation engines, and logistics/supply-chain API bridges into subsidiary ERPs — fertile ground for broken access control, cross-dealer data leaks, and configurator-bypass or pricing-manipulation chains if any boundary slips. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

In scope materially: every HTTP(S) origin answering for wielton.com.pl and delegated subdomains, dealer-authentication portals, product-configurator engines and their REST/GraphQL backends, fleet-telemetry dashboards, CRM customer-data stores, spare-parts catalogue APIs, 3D visualisation endpoints, and any subsidiary-localised mirrors Wielton operates or configures.
Civil exclusions only: mass harassment, ransomware against unrelated third parties, laundering. Not product carve-outs.

Minimum evidence bar — non-negotiable:
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact  2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, Burp/HAR with matched responses). Narratives without a working exploitation path are graded below payout threshold.
02 — Why this matters

Why probe Wielton?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — single paid tier on this ledger.

Dealer + CRM + configurator blast radius

Dealer-portal authz bugs, configurator-pricing manipulation, or CRM leaks cascade across dozens of international subsidiaries — chained exploits pay silently until replayed with receipts.

No fake micro-scope list

If Wielton hosts, proxies, or documents a surface — from dealer dashboards to fleet telemetry — testers escalate until severity lands.

Industrial supply-chain halo

Exploits with airtight chains earn coordinated publication credit after fixes ship — Wielton's supply-chain exposure makes responsible disclosure high-visibility.

03 — Reward

$5,000 per validated critical

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows must exhibit (a) attacker-readable kill-chain storytelling and (b) objective proofs of successful exploitation replayable by Wielton responders (Burp transcripts, scripted API sequences, SSRF egress captures, configurator-bypass traces, dealer-data-exfiltration proofs…).

Critical $5,000 USD ea.

Mass dealer-account takeover or org-wide authz bypass; universal configurator-pricing forgery affecting many customers; fleet-data or CRM PII exfiltration at scale; persisted RCE in Wielton web/app origin; SSRF/cloud metadata pivot through configurator or dealer-backend workers; supply-chain API bridge compromise leaking subsidiary ERP data.

  • Cross-dealer or cross-subsidiary data exfiltration without consent
  • Critical integrity break in configurator pricing, order placement, or fleet telemetry
  • Break-glass SSRF from Wielton infra to internal cloud metadata or ERP bridges
Operational truth: If you can't yet prove the exploitation lands inside Wielton's boundary, tighten your staging mirror until HTTP/trace logs objectively show attacker success — triage shelves "might work" theories.
04 — Scope inventory

Illustrative map (non-exhaustive)

These rows do not impose limits — shorthand for tagging reports. Anything Wielton hosts, signs, proxies, caches, orchestrates, or webhook-delivers counts as bounty ground even if undocumented here. Treat "not listed" ≠ "out-of-scope": default stance is open scope across Wielton.

Surface Class Critical payout
wielton.com.pl, *.wielton.com.pl, HTML/JS/CSS, product pages Web · CDN $5,000 / validated bug
Dealer portal · authenticated dashboards · B2B quoting SaaS · Portal $5,000 / validated bug
Configurator REST/GraphQL backends · 3D visualisation APIs Backend · API $5,000 / validated bug
Fleet telemetry · CRM pipelines · spare-parts catalogue Infra · Data $5,000 / validated bug
Supply-chain API bridges · subsidiary ERP integrations Integrations $5,000 / validated bug
05 — Scope policy

Everything Wielton operates — no exclusions list

This playbook refuses "only these SKU endpoints." Dealer-portal sub-tenants, configurator staging mirrors, fleet-telemetry boards, CRM pipelines, subsidiary-localised storefronts, 3D-model delivery CDNs — all bounty eligible when critical impact is reproducible.

  • Every apex / vanity hostname routing through Wielton edge — claim routing evidence in your chain write-up.
  • Dealer-authentication portals and role-based dashboards Wielton ships toward its dealer network
  • Configurator engines and pricing-rule backends that feed B2B quotations
  • Supply-chain or ERP API bridges Wielton operates across international subsidiaries
Legal floor (not bounty shrink): harassment, indiscriminate ransomware, laundering — still barred even though technical surface is maximal.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Ship artefacts third parties rerun: scripted curl flows, Burp/HAR exports, SSRF egress captures, configurator-bypass scripts with verified pricing-state mutation.
  2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (dealer ATO, cross-subsidiary bleed, configurator fraud, fleet-data exfil, infra takeover…).
  3. Responsible blast radius documentation. Quantify dealers, subsidiaries, or customers affected even when exercised only on staging mirrors that mirror routing + auth faithfully.
  4. Encrypt & ship privately. Use sanctioned intake on wielton.com.pl (see submit section) before broadcasting exploit details.
  5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.
07 — Submit

How to submit a report

Start from the security / disclosure contact publicly listed on wielton.com.pl (security@wielton.com.pl is a common pattern — verify on the vendor site before sending). Mandatory sections mirror below.

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — impact in one paragraph

# Severity self-classification → must map to Wielton critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (session / dealer context / API key scope)
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation
4. Final hop → dealer ATO / cross-subsidiary damage / configurator fraud / fleet-data exfil equivalent

## Successful exploitation evidence
• Replayable script + truncated responses showing impact
• HAR / Burp with unauthorized state change
• Configurator-pricing or dealer-data logs proving forged operation accepted

## Reproduction package
Commands + fixtures + pinned SHAs

## Disclosure ack
Responsible channel only until Wielton clears publication coordination
Gating reminder: Missing kill chain granularity or lacking demonstrable exploitation success bumps the intake into "needs rework" — no payout until solved.
08 — Example

PHP vignette · pair with reproducible dealer-portal exploit replay

Pseudocode for dealer-portal role checks skipped on direct API access — useless without traces proving unauthenticated wielton.com.pl calls mutate protected dealer or fleet state.

PHP · illustrative misuse 
// BUGGY: dealer-role guard skipped when called via internal API bridge
function resolveDealerContext($request) {
    $dealerId = $request->header('X-Wielton-Dealer-Id');
    if ($request->isInternalBridge()) {
        // bridge calls skip role enforcement entirely
        return Dealer::withFullAdminScope($dealerId);
    }
    return Dealer::withVerifiedRole($dealerId);
}
09 — FAQ

Frequently asked questions

Is anything actually "out of scope" besides illegal stuff?

No discretionary product carve-outs — only universal legal/ethical lines. If Wielton hosts, proxies, or documents a surface, testers escalate until triage disqualifies specifics.

Do speculative write-ups without a working exploit get paid?

No. $5K critical payouts require both narrative and evidence of successful attack replay. Theory-only stalls without compensation.

Are staging / dev nets fair game?

Yes whenever Wielton labels or operates them.
Mirror configs realistically where possible.

Duplicates?

First validated chain + reproducible exploitation wins; followers acknowledged only.

Lower severities rewarded?

Not under this $5K-flat critical playbook — escalate impact or accept acknowledgement without cash.

Critical chain + working exploit = $5,000

No narrow scope appendix — document the attack, prove it lands, file privately.

Submit a Report Read the Scope