Gcore S.A., 2-4, rue Edmond Reuter, L-5326 Contern, Luxembourg (“Gcore”, “we”, “us”) welcomes feedback from security researchers and the general public (“reporter”, “you”) to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you via our bug bounty program (“Gcore Bug Bounty Program”) in accordance with this vulnerability disclosure policy. This vulnerability disclosure policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

Systems in Scope

This policy applies to any digital assets owned, operated, or maintained by Gcore, including but not limited to:

• *.gcore.com
• *.gcorelabs.com
• *.gcore.lu
• *.gcore.top
• *.gcdn.co
• https://github.com/g-core

Out of Scope

Please note that domains, assets, or other equipment not owned by us are out of scope of Gcore Bug Bounty Program and this policy. Gcore cannot and does not authorize security research on third parties. Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority. Please find below examples of what is considered as assets not owned by us and therefore out of scope:

• hosting.gcore.com
• kvm.gcore.com
• dci.gcore.com
• support.gcorelabs.com (Zendesk portal).

Anything not declared as a target or in scope above should be considered out of scope for the purposes of this policy. However, for the avoidance of doubts, below are examples of what is considered out of scope of this policy and not eligible for G-Core Labs Bug Bounty Program:

• Possible vulnerabilities that do not include proof of concept code or a demonstrated exploit
• Third-party websites, systems, platforms, or libraries with new or published vulnerabilities
• DoS/DDoS or any service disruptions
• Physical attacks, social engineering attacks, and phishing attacks of any kind
• Simple, non-XSS content injection
• Descriptive error messages, exposing software version or any "information disclosure"
• Spelling errors, UI and UX bugs

We may still reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via G-Core Labs Bug Bounty Program.