Security Disclosure Policy

BugBounty.company coordinates security disclosures on behalf of its affiliated companies. We welcome reports from any person who has identified a security issue, whether or not they are a member of our researcher program, and we act on every report in good faith.

Scope

This policy applies to security issues affecting any company or asset coordinated by BugBounty.company. Anyone may submit a report under this policy.

Participation in the BugBounty.company researcher program, which includes access to the list of in-scope assets, severity guidance, and reward arrangements, is by invitation only. Reports from non-invited parties are still received, triaged, and forwarded to the relevant affiliated company; reward eligibility for such reports is determined at that company's discretion.

How to Report

Submit reports through our contact form at https://bugbounty.company/contact or by email to contact@bugbounty.company.

A useful report includes:

A clear description of the vulnerability and its impact.
The affected asset (URL, hostname, endpoint, or product version).
Steps to replicate the issue, in sequence, with the minimum payload required.
Supporting evidence (screenshots, request and response captures, proof-of-concept).
Your name, contact details, and country of legal residence.

Response Commitment

We aim to acknowledge every report within 48 hours of receipt. Substantive triage updates follow as the investigation progresses.

Rules of Engagement

The following are strictly prohibited and will void any reward:

Denial-of-service (DoS) or distributed denial-of-service (DDoS) testing of any kind.
Attacks against upstream providers, third-party services, or shared infrastructure.
Social engineering of staff, customers, or contractors.
Physical attacks against personnel or property.
Accessing, downloading, retaining, or modifying user data beyond the minimum required to demonstrate impact.
Automated scanning that generates excessive or disruptive traffic.

Coordinated Disclosure

Reporters are asked to refrain from any public discussion of the finding until 30 days after the vulnerability has been mitigated by the affected company. We will notify you when mitigation is confirmed, at which point the 30-day clock begins.

Reward Eligibility

Where monetary rewards are offered, the following conditions apply:

Payments are made solely at the discretion of the affiliated company to which the report relates. BugBounty.company facilitates but does not guarantee payment.
No payment will be made to any individual or organisation resident in, or operating from, a country subject to any applicable sanctions regime.
No payment will be made to minors. For this purpose, a minor is any person under 18 years of age or below the local age of majority, whichever is higher.
For duplicate reports, only the first valid submission, time-stamped on receipt, is eligible.

Safe Harbor

Reporters acting in good faith under this policy will not be referred to law enforcement or pursued in civil action by BugBounty.company. Affiliated companies may extend their own safe-harbor terms, which are communicated to invited researchers at the time of engagement.

Contact

Form: https://bugbounty.company/contact
Email: contact@bugbounty.company

Last updated: 17 May 2026