At Copernica we take the appropriate measures to maintain a high level of security. We believe that working together with independent security researchers will help us identify, solve and minimize the risk of security vulnerabilities. Therefore, we have launched the Copernica Bug Bounty Program today. If you believe that you have discovered a security vulnerability in our online environment, we encourage you to notify us and collaborate with us to coordinate the disclosure of this vulnerability. Through the Copernica Bug Bounty Program, security researchers that report an issue will receive a reasonable monetary reward for their efforts, with a value depending on the severity of the issue at hand. If you have noticed a security issue, please contact us via email at email@example.com.
You are eligible for a reward if you report an original and previously unreported, undisclosed vulnerability.
You are eligible for a reward if you report security vulnerabilities within our online environment. This includes, amongst others, our publicly-accessible website and APIs.
You must provide a clear description of the vulnerability.
Vulnerabilities in pre-release versions (beta-, dev- etc.) and inactive versions will not be eligible.
Due to safety reasons, you are not allowed to publicly disclose any information about the vulnerability before it is solved.
(Former) Copernica employees are excluded from participation.
Any issues relying on techniques like clickjacking will not be considered a vulnerability eligible for a reward.
Reported vulnerabilities are evaluated by Copernica and rated as low, medium or high. This evaluation is final and no correspondence will be entered into this decision.
Low: Issues with little impact, such as XSS attacks in which the XSS can only be performed on oneself. €50
Medium: Issues with somewhat higher impact, but without the risk of data leaks, such as unauthorized user privilege escalation within an account. €100.
High: Critical vulnerabilities, such as (potential) exposure of customer data and account hijacking without the need for any social engineering or CSRF attacks on user data. €250