CoreTech working hard on security to keep service safe as possible but we know that some bugs are not discovered yet.
If you believe you've found a security issue in the services listed in our scope (TARGET), we will work with you to resolve it promptly and ensure you are fairly rewarded for your discovery.
|Min €||Max €||Type|
|Hall of Fame||
Blind vulnerability, possibility to exploit the vulnerability for phishing
|50 €||300 €||
Viewing or stealing by a single user (unsystematic), System slowdowns (server machine), Decrypting data, Viewing application data
|300 €||800 €||
Access to sensitive data of all users, Access or theft of data of a target user or multiple users, Access to important system data
|800 €||2000 €||
Critical access to systems, ability to encrypt servers, major damage to society
CoreTech may provide rewards to eligible reporters of qualifying vulnerabilities. Rewards amounts vary depending upon the severity of the vulnerability reported.
CoreTech keeps the right to decide if the minimum severity threshold is met and whether the scope of the reported bug is actually already covered by a previously reported vulnerability. Rewards are granted entirely at the discretion of CoreTech. To qualify for a reward under this program, you should
If the reported vulnerability, after an evaluation by the CoreTech staff, is not among the paid ones, a score that can be viewed in the hall of fame will be assigned. Upon reaching 50 CoreTech points it will allow you to redeem an economic prize worth 50 euros.
If you wish to report a vulnerability or if the vulnerability you discovered is not included among those specified in the Bug Bounty program, please let us know. We will carefully consider including it on the program specifications page.
We pay by:
|Sensitive data Exposure||
|Vulnerable and Outdated Components||
|Broken Access Control||
|Access to Systems||
We are happy to work with everyone who submits valid reports which help us improve our security.
However, only those that meet the following eligibility requirements may receive a monetary reward:
We intend to respond and resolve reported issues as quickly as possible. This means that you will receive progress updates from us periodically. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the CoreTech brand, will result in immediate disqualification from the program.
They will not be eligible for cash rewards.
To report a valid vulnerability we kindly ask you to:
*If the form does not appear to be working, we ask you to send us an email with the subject "Bug Bounty (Contact us!)" to the email address firstname.lastname@example.org. Reports with a different subject or email may be marked as spam by our systems
*The video Demostration must include detailed instructions on how to exploit the vulnerability to attack the victim. This document must be formulated in a clear and reproducible way so that our team responsible for analyzing reports can evaluate it accurately. It should be noted that vulnerabilities that can only be exploited in a local environment of the attacker or require physical access to the victim's machine will not be taken into consideration for the purposes of remuneration.
Every 3 weeks we view new vulnerability reports. Please note that the reminder request on the same vulnerability can only be made 3 weeks after the first report. Reminders received before this period will be considered as spam and, in some cases, could influence the allocation of economic rewards.
By "sensitive data" we mean any non-public data.
By "critical access" we mean access to servers or services with admin permissions
By "major damage to society" we mean significant damage in terms of turnover or loss of data importanti in maniera irreversibile
By "language errors" we mean the display of errors from MySQL or other languages
By "Inactive or potential vulnerabilities" we mean all those vulnerabilities that do not lead to concrete damage but in some cases could lead to damage. For example an XXS that prints "1" but fails to do anything but print "1"
|Sohit Kumar Mahato||27||930|
|BrainStorm (aka Davide Bonsangue)||/||/|
|Hasibul Hasan Shawon (Twitter)||2||100|
|Mohammed Simo Latifi (Linkedin)||1||150|