Responsible Disclosure & Bug Bounty Policy

Purpose We encourage security researchers to responsibly disclose vulnerabilities that may affect the confidentiality, integrity, or availability of our systems or the personal data we process. Due to our size and limited revenue, we operate a discretionary and impact-based bug bounty program rather than a guaranteed reward model.

Scope (In Scope)

The following assets are in scope for responsible disclosure:

  • Production web applications and APIs operated by us

  • Authentication and authorization mechanisms

  • Access controls related to personal or sensitive data

  • Encryption, key management, and data exposure risks

  • Misconfigurations with demonstrable security impact

Only vulnerabilities affecting production systems are eligible.

Out of Scope (No Bounty)

The following are explicitly out of scope and will not be rewarded:

  • Best-practice findings without demonstrable impact

  • Theoretical issues without a practical exploit

  • Clickjacking without sensitive state-changing actions

  • Rate-limiting issues without abuse scenarios

  • Automated scan results without contextual analysis

  • Social engineering or phishing attacks

  • Physical attacks or insider threats

  • Denial-of-Service (DoS/DDoS) attacks

Rules for Responsible Disclosure

Researchers must:

  • Avoid accessing, modifying, deleting, or exfiltrating data

  • Avoid actions that could impact system availability

  • Avoid accessing accounts or data belonging to real users

  • Stop testing immediately once sufficient proof is obtained

  • Not publicly disclose details without our explicit consent

  • Allow a reasonable remediation window (minimum 90 days)

Any activity outside these rules may disqualify the report.

Reporting Requirements

A valid report must include:

  • A clear description of the vulnerability

  • Step-by-step reproduction instructions

  • Proof of concept (PoC), where applicable

  • Clear impact assessment (what can an attacker achieve?)

  • Affected endpoints, services, or configurations

  • Optional mitigation suggestions

Reports lacking reproducible impact may be closed without reward.

Assessment Process

  1. Acknowledgement within 3 business days

  2. Technical validation and severity assessment

  3. Remediation or mitigation

  4. Final determination on bounty eligibility

Severity is determined by actual risk, not by complexity or effort.

Bug Bounty Program (Discretionary)

We do not guarantee monetary rewards. Bounties are:

  • Awarded at our sole discretion

  • Based on validated real-world impact

  • Determined after remediation

Indicative reward ranges:

  • Critical (auth bypass, data breach, privilege escalation): €250 – €750

  • High (significant data exposure, serious misconfiguration): €100 – €250

  • Medium (limited impact, strong mitigations): €50 – €100

  • Low: No monetary reward

We reserve the right to:

  • Decline a bounty

  • Provide non-financial recognition (e.g. acknowledgment)

  • Merge duplicate or related reports

  • Reduce rewards for previously known issues

Legal Safe Harbor

If you comply with this policy, we will not pursue legal action against you for your security research. This does not grant permission to violate any applicable laws.

Contact

Please submit reports to:

security@metgrace.nl