G-Core Labs S.A., 2-4, rue Edmond Reuter, L-5326 Contern, Luxembourg (“Gcore”, “we”, “us”) welcomes feedback from security researchers and the general public (“reporter”, “you”) to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you via our bug bounty program (“Gcore Bug Bounty Program”) in accordance with this vulnerability disclosure policy. This vulnerability disclosure policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.
This policy applies to any digital assets owned, operated, or maintained by Gcore, including but not limited to:
Please note that domains, assets, or other equipment not owned by us are out of scope of Gcore Bug Bounty Program and this policy. Gcore cannot and does not authorize security research on third parties. Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority. Please find below examples of what is considered as assets not owned by us and therefore out of scope:
Anything not declared as a target or in scope above should be considered out of scope for the purposes of this policy. However, for the avoidance of doubts, below are examples of what is considered out of scope of this policy and not eligible for Gcore Bug Bounty Program:
• Possible vulnerabilities that do not include proof of concept code or a demonstrated exploit
• Third-party websites, systems, platforms, or libraries with new or published vulnerabilities
• DoS/DDoS or any service disruptions
• Physical attacks, social engineering attacks, and phishing attacks of any kind
• Simple, non-XSS content injection
• Descriptive error messages, exposing software version or any "information disclosure"
• Spelling errors, UI and UX bugs
We may still reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via Gcore Bug Bounty Program.
When reporting vulnerabilities to us, according to this policy, you can expect us to:
• Respond to your report promptly, and work with you to understand and validate your report;
• Strive to keep you informed about the progress of the reported vulnerability as it is processed; and
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
Please note that any decision or action in relation to the disclosures is at the sole discretion of G-Сore Labs.
In participating in our bug bounty program in good faith, we ask that you:
• Play by the rules, including following this policy and any other relevant agreements and policies. If there is any inconsistency between this policy and any other applicable terms, the terms of the policy or agreement which was updated later shall prevail (unless otherwise agreed by the parties);
• Report any vulnerability you’ve discovered promptly;
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming our service and/or user experience;
• Use only the official channels (e.g. firstname.lastname@example.org ) to report vulnerability to us;
• Do not disclose the reported issue publicly;
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
• If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
• You should only interact with test accounts you own or with explicit permission from the account holder; and
• Do not engage in extortion.
Any breach of the principles outlined above may result in you being ineligible for the Gcore Bug Bounty Program.
Please report security issues to email@example.com , providing all relevant information including Proof of Concept or demo. The more details you provide, the easier it will be for us to triage and fix the issue. Please note that any report that you submit to us will become our property, and we are under no obligation to act on a report.
You grant to us a non-exclusive, worldwide, perpetual, irrevocable, fully-paid, royalty-free, sublicensable and transferable license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and to otherwise exploit the report, submission and/or disclosure for any purpose.
We will move as quickly as we can to remedy any critical issues, test the remedies, and get fixes out to customers. We ask that you wait until we’ve pushed out these fixes before you publicly disclose any issues. In some cases, we may need some extra time so that customers can update their integrations or user flows.
Any public vulnerability disclosure that does not have our written consent will result in you being ineligible for the Gcore Bug Bounty Program.
We respect Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Submitting a bug can qualify for a reward if you were the first researcher to alert us to a previously unknown issue, and the issue triggers a code or configuration change. We may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide to pay lower rewards for vulnerabilities that require unusual user interaction; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.
Tax implications of any payouts are the sole responsibility of the reporter.
|P1||1,000 - 1,500|
|P2||400 - 1,000|
|P3||200 - 400|
|P4||50 - 200|
Gcore reserves the right to modify terms and conditions of this policy and Gcore Bug Bounty Program, or to cancel this program at any time. Your participation in the program (including by the way of submitting a disclosure) constitutes acceptance of all terms. Any changes to this page are effective as of the time of posting.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we may take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels (as defined above) before going any further.
Note that this policy applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.