Dirk is a Dutch supermarket chain with 131 stores that until 2014 operated many of its stores under the full name of founder Dirk van den Broek. The supermarket is mainly characterized by lowest price it offers in the Netherlands, it’s unique non-food promo assortment and no nonsense attitude towards loyalty programs. Dirk is a member of the Superunie purchasing association and carries his own private label under the name '1 de Beste'. Most shops can be found in and around the Randstad, with branches in the east of the country. The largest store can be found in Amersfoort. Since 2015, the supermarket chain has been led by Marcel Huizing.


  1. Low > Dirk shopper full of groceries
  2. Medium > 50 euro’s worth of groceries
  3. High > 100 euro’s worth of groceries
  4. Critical > 250 euro’s worth of groceries
  5. Exceptional > 1 minute free shopping


*If not located in the Netherlands, the equivalent amount of the reward will be transferred by bank.

Rules of engagement


  • User agent > Not applicable
  • Automated tooling > max. 5 requests/sec
  • Request header> Not applicable




  • Please clean up remnants of your testing and do not interfere with the normal operation of the site.
  • Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Suggestions for mitigation are appreciated as well
  • Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
  • Do not change or delete any data or system settings.
  • Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further
  • Please do NOT publish/discuss bugs before they are fixed


Response timeframe


In scope


  • Dirk.nl + PWA
  • werkenbijDirk.nl
  • D-winkels.nl


Out of scope


  • A1.dirk.nl
  • T1.dirk.nl
  • Known issue, re-directing




  • 20 november 2023, XSS and .webconfig vulnerabilitie (solved)


Severity assessment


All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.




  • A reflected XSS vulnerability that requires significant user interaction
  • A CSRF vulnerability in a non-critical feature
  • Open redirect
    • Reward: Dirk shopper full of groceries




  • A DOM XSS vulnerability
  • Reflected XSS
  • An IDOR leading to the disclosure of non-critical data
  • A CSRF with a significant impact
  • Lateral authentication bypass
    • Reward: 50 euro’s worth of groceries




  • Access to random users' data (sensitive PII)
  • A stored XSS vulnerability (excluding unexploitable self-XSS)
  • Vertical authentication bypass
    • Reward: 100 euro’s worth of groceries




  • A SQL injection vulnerability
  • Access to all customer personal data or access to a targeted user
  • A numeric IDOR that allows mass write/read actions on critical features
  • Path traversal leading to the disclosure of local files
    • Reward: 250 euro’s worth of groceries




  • A remote code execution vulnerability on the production server
  • Full database access (incl. update/delete)
    • Reward: 1 minute free shopping


Cool-down period of zero-days


Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty. We may however decide to offer a bonus at our own discretion!