We appreciate security research and reward valid vulnerability reports that help us protect our users.
Follow the rules below and you can receive a reward of up to €250 per qualifying report.
Our goal is to collaborate with researchers to keep our platform secure. If you follow this policy, act in good faith and avoid impacting users or data, we will not pursue legal action (“safe harbor”).
This approach is consistent with how established providers handle responsible disclosure and public programs.
⏱️ Initial response within 72 hours after submission; coordinated remediation thereafter.
Security issues that affect EgoPvP-owned services and domains:
- Main website:
egopvp-hosting.com
- Customer panel & dashboard (incl. billing where applicable)
- Wiki & documentation:
wiki.egopvp-hosting.com
- Any other subdomains under
*.egopvp-hosting.com that are operated by us
⚠️ Third‑party infrastructure (e.g., payment processors like PayPal/Stripe) is out of scope; report those to the vendor directly.
- Denial of Service (DoS/DDoS), volumetric or stress testing; actions that degrade service stability
- Automated scanners that generate excessive traffic or brute force attacks
- Social engineering, phishing, or attacks against our staff/customers
- Physical security attacks or access to data centers
- Privacy issues arising from third‑party services (payment gateways, analytics)
- Non‑security bugs (UI/UX, typos) – please use a support ticket instead
These restrictions mirror common industry rules to protect service quality during testing. citeturn0search3
- Use your own test accounts only. Do not access, modify, or exfiltrate other users’ data.
- Minimize impact: no service disruption, no mass scanning, no persistent payloads on shared systems.
- Stop immediately if you encounter sensitive data and include a redacted PoC only.
- Do not publicly disclose before we confirm remediation or agree on a coordinated timeline.
- Penetration testing of our services is permitted within this policy; anything beyond requires written approval.
Please email [email protected] with the subject “Vulnerability Report – [short title]”.
Include:
- Affected domain/service and environment (prod/test)
- Vulnerability type and impact (CVSS if possible)
- Reproduction steps (step‑by‑step), PoC, and screenshots
- Suggested remediation or references
- Your contact & payout preference (PayPal or account credit)
Subject: Vulnerability Report – [XSS in wiki.egopvp-hosting.com]
Target: https://wiki.egopvp-hosting.com/[path]
Impact: Stored XSS (CVSS 3.1 ~ 6.1 / Medium)
Steps: 1) ... 2) ... 3) ...
PoC: <script>alert(1)</script>
Notes: No user data accessed. Tested on my own account only.
Contact: <name> – PayPal preferred
🔐 Please avoid attaching live exploits that could harm users; send minimal PoCs only.
Rewards depend on severity, impact, and report quality (first valid report only). Amounts are guidelines; we may adjust at our discretion.
- Duplicates: Only the first valid report is eligible.
- Known issues / accepted risks: Not eligible.
- Payment window: Within 14 German business days after validation & fix confirmation.
- Method: PayPal or account credit; identity verification and legal compliance may be required.
Public programs from major providers use similar tiering and coordinated disclosure.
- Acknowledge receipt within 72 hours.
- Triage & reproduce; we may request more details.
- Fix scheduling based on severity & complexity.
- Coordinated disclosure after remediation or by mutual agreement (we align with standard VDP practices).
- If you comply with this policy and act in good faith, we will not pursue legal action. citeturn0search0
- Do not intentionally access personal data; if encountered, stop and report immediately.
- This program does not create an employment relationship or a right to a bounty; rewards are discretionary.
- We may update program scope and terms at any time.
See also: