Securing Connection

Initializing security protocols...

Back to Home

Responsible Disclosure Policy

Help us keep our systems secure

Security Researchers Welcome

At Scorpiones, we take security seriously and consider the security research community as a valuable partner in identifying and addressing vulnerabilities. We encourage responsible disclosure of security vulnerabilities to help us protect our clients and improve our security posture.

Safe Harbor Protection
Compensation for Quality Reports
Fast Response Time

In-Scope Assets

Scorpiones Assets

  • *.scorpiones.io (all subdomains and web applications)
  • Any infrastructure or systems owned and operated by Scorpiones
  • Our cloud environments and resources
  • Internal tools and services accessible from the internet
  • Configuration issues in our systems that could lead to compromise

Valid Vulnerability Classes

  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Authentication and session management flaws
  • Server-Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • XML External Entity (XXE) attacks
  • Access control vulnerabilities
  • Information disclosure
  • Business logic flaws
  • Cryptographic weaknesses

Out of Scope

The following are explicitly out of scope and should NOT be tested:

  • Physical security testing or social engineering
  • Denial of Service (DoS/DDoS) attacks
  • Automated vulnerability scanning that causes service disruption
  • Third-party services or applications
  • Client systems or data
  • Non-technical vulnerabilities (e.g., customer support interactions)
  • Issues related to software or protocols not under our control
  • Recently disclosed vulnerabilities (less than 30 days)
  • Spam, phishing, or social engineering of our employees

Testing Guidelines

Allowed Testing Methods

  • Manual security testing and analysis
  • Automated scanning with rate limiting (max 60 requests/minute)
  • Creating test accounts using your own information
  • Intercepting your own traffic
  • Testing against dedicated test instances when provided

Prohibited Actions

  • Accessing, modifying, or deleting other users' data
  • Performing actions that could degrade service performance
  • Attempting to access internal networks or systems
  • Uploading malware or malicious files
  • Publicly disclosing vulnerabilities before resolution
  • Demanding compensation or making threats

Best Practices

  • Use a clearly identifiable account (e.g., security_researcher_[yourname])
  • Stop testing once you've confirmed a vulnerability
  • Provide clear reproduction steps
  • Include proof-of-concept code when possible
  • Test during off-peak hours when possible
  • Clean up any test data you create

How to Report

Submission Requirements

Please include the following information in your report:

  • Asset: Affected domain, URL, or component
  • Vulnerability Type: Classification of the issue
  • Severity: Your assessment (Critical/High/Medium/Low)
  • Description: Clear explanation of the vulnerability
  • Reproduction Steps: Step-by-step instructions
  • Impact: Potential security impact
  • Proof of Concept: Screenshots, videos, or code
  • Remediation: Suggested fixes (optional)

Submission Methods

Email (Preferred)

Send reports to: [email protected]

PGP encryption available - request our public key

Response Timeline

Initial ResponseWithin 24 hours
Triage & ValidationWithin 72 hours
Resolution TimelineBased on severity (7-90 days)
Disclosure CoordinationAfter fix deployment

Critical Severity

Resolution within 7 days

High Severity

Resolution within 30 days

Medium Severity

Resolution within 60 days

Low Severity

Resolution within 90 days

Recognition & Compensation

Compensation Policy

While we don't operate a formal bug bounty program, we do compensate researchers for high-quality vulnerability reports at our discretion.

  • Invoice Required: Monetary compensation requires a proper invoice for accounting purposes
  • Alternative: Gift cards available for researchers unable to provide invoices
  • Quality Matters: Compensation amount based on severity, impact, and report quality
  • Discretionary: All rewards are at Scorpiones's sole discretion

Additional Recognition

Beyond potential compensation, we offer:

  • Public acknowledgment in our Security Hall of Fame (with permission)
  • Reference letters for exceptional findings
  • Scorpiones security researcher certificate
  • Priority consideration for security consulting opportunities

Safe Harbor

We consider security research conducted in accordance with this policy as:

  • Authorized conduct under the Computer Fraud and Abuse Act (CFAA)
  • Exempt from restrictions in our Terms of Service
  • Lawful and will not be pursued with legal action

If legal action is initiated by a third party against you for your security research, we will take steps to make it known that your actions were conducted in compliance with this policy.

Terms & Conditions

  • Testing must comply with all applicable laws and regulations
  • You must not access or modify data belonging to others
  • Findings must be kept confidential until mutually agreed disclosure
  • You must not exploit vulnerabilities beyond proof of concept
  • We reserve the right to modify this policy at any time
  • Participation constitutes agreement to these terms

Contact Information

Security Team

[email protected]

PGP Key

Available upon request

Response Time

24 hours for initial response

Thank you for helping us maintain the security of our systems and protecting our clients. Your efforts are greatly appreciated!