We appreciate security research and reward valid vulnerability reports that help us protect our users.
Follow the rules below and you can receive a reward of up to €250 per qualifying report.
Our goal is to collaborate with researchers to keep our platform secure. If you follow this policy, act in good faith and avoid impacting users or data, we will not pursue legal action (“safe harbor”).
This approach is consistent with how established providers handle responsible disclosure and public programs.
⏱️ Initial response within 72 hours after submission; coordinated remediation thereafter.
Security issues that affect EgoPvP-owned services and domains:
- Main website:
egopvp-hosting.com
- Customer panel & dashboard (incl. billing where applicable)
- Wiki & documentation:
wiki.egopvp-hosting.com
- Any other subdomains under
*.egopvp-hosting.com that are operated by us
⚠️ Third‑party infrastructure (e.g., payment processors like PayPal/Stripe) is out of scope; report those to the vendor directly.
- Denial of Service (DoS/DDoS), volumetric or stress testing; actions that degrade service stability
- Automated scanners that generate excessive traffic or brute force attacks
- Social engineering, phishing, or attacks against our staff/customers
- Physical security attacks to a customer’s machine or access to data centers
- Privacy issues arising from third‑party services (payment gateways, analytics)
- Non‑security bugs (UI/UX, typos) – please use a support ticket instead
- Virus Infected customer machines being used to acces or steal credentials
These restrictions mirror common industry rules to protect service quality during testing.
- Use your own test accounts only. Do not access, modify, or exfiltrate other users’ data.
- Minimize impact: no service disruption, no mass scanning, no persistent payloads on shared systems.
- Do not Penetrate any 3rd Party Services that we are using. Other systems might not have a Bug-Bounty Programm and might take legal action! Please report 3rd Party breaches to the apropiate companies.
- Stop immediately if you encounter sensitive data and include a redacted PoC only.
- Do not publicly disclose before we confirm remediation or agree on a coordinated timeline.
- Penetration testing of our services is permitted within this policy; anything beyond requires written approval.
- Only the first valid report is eligible.
- Known issues / accepted risks are not a Valid Report.
- Issues / Vulnerabilites that rely on other Vulnerabilites to work and only theoretically would be an issue: Not eligible. As the dependant Vulnerability is not “active” / you are not reporting it and the one you are Reporting only is “an effect” enabled by dependant one.
- Ai Generated Reports are automaticly rendered INVALID
Please email [email protected] with the subject “Vulnerability Report – [short title]”.
Include:
- Affected domain/service and environment (prod/test)
- Vulnerability type and impact (CVSS if possible)
- Reproduction steps (step‑by‑step), PoC, and screenshots
- Suggested remediation or references
- Your contact & payout preference (PayPal or account credit)
Subject: Vulnerability Report – [XSS in wiki.egopvp-hosting.com]
Target: https://wiki.egopvp-hosting.com/[path]
Impact: Stored XSS (CVSS 3.1 ~ 6.1 / Medium)
Steps: 1) ... 2) ... 3) ...
PoC: <script>alert(1)</script>
Notes: No user data accessed. Tested on my own account only.
Contact: <name> – PayPal preferred
🔐 Please avoid attaching live exploits that could harm users; send minimal PoCs only.
Any Reports that do not Follow the described Rules/Scopes are invalid.
Rewards depend on severity, impact, and report quality (first valid report only). Amounts are guidelines; we may adjust at our discretion.
Please do not Spam reports via different E-Mails. Any Spam will be marked Invalid, answered once and will then be ignored in the Future.
- Payment window: Within 14 German business days after validation & fix confirmation.
- Method: PayPal or account credit; identity verification and legal compliance may be required.
- Acknowledge receipt within 7 Buisness Days.
- Triage & reproduce; we may request more details.
- Fix scheduling based on severity & complexity.
- Coordinated disclosure after remediation or by mutual agreement (we align with standard VDP practices).
- If you comply with this policy and act in good faith, we will not pursue legal action.
- Do not intentionally access personal data; if encountered, stop and report immediately.
- This program does not create an employment relationship or a right to a bounty; rewards are discretionary.
- We may update program scope and terms at any time.
See also: