Bug Bounty Program

Last updated: June 1, 2025

What is the Bug Bounty Program?

The Nordantech Bug Bounty Program provides a structured platform for developers and security researchers to responsibly report potential vulnerabilities in our code, infrastructure, or applications. We value responsible disclosure and reward submitted findings depending on their severity and exploitability. The goal is to strengthen the security of our systems together – through practical testing by experts who know how vulnerabilities arise and how to prevent them.

Which services are covered by the program?

We welcome reports on vulnerabilities identified in any of the following areas of our Falcon platform:

In scope

The following systems and components are covered by the Nordantech Bug Bounty Program:

Application: https://app.nordantech.com
Public API: https://api.nordan.tech
Production infrastructure: All live systems supporting the core services of the platform
Production-related subdomains: All subdomains under *.nordan.tech, if they relate to production system components

Out of scope

The following systems and components are excluded from the Bug Bounty Program. Security investigations on these systems are considered unauthorized:

Nordantech website: https://www.nordantech.com
Non-production environments: Staging, testing, development, or integration systems
Information and redirection domains: Domains that do not provide active application functionality (e.g., https://support.nordantech.com or https://status.nordantech.com)

Please note that digital services not listed above are not part of the Bug Bounty Program. A security investigation of such unlisted services may be considered illegal and subject to enforcement.

How can I participate in the program?

To participate in the Nordantech Bug Bounty Program, you need a sandbox environment with access to all Falcon features. Register exclusively using the form on this page – not via the regular trial. Only this registration creates special, short-lived sandbox environments that include all features of the Falcon platform.

After registration, you will receive an email with an activation link. Once you have activated your account, your sandbox environment will be available to you immediately.

Important notes

Each sandbox environment is valid for 3 days and will be automatically deleted afterwards, including all data.
Any number of sandbox environments can be created per email address.
Your user account will be automatically deleted after 7 days of inactivity.
No support is provided for sandbox environments.

Accepted email addresses

Business email addresses with your own company domain
Domains designated for white-hat pentesting (e.g. wearehackerone.com)
Verifiable domains owned by security researchers or security companies

Not accepted email addresses

Free email providers (e.g. Gmail, Yahoo, Outlook.com, GMX, Web.de)
Temporary or disposable email addresses

If you experience difficulties during registration, please contact us via chat on our website or by email at support@nordantech.com.

What rules apply to the program?

To ensure a safe, fair, and productive environment for all participants, we ask you to adhere to the following guidelines and terms when participating in the Nordantech Bug Bounty Program:

Respect others' privacy
Do not perform actions that access, alter, or delete data that does not belong to you. Only test with your own accounts and data.
Avoid disrupting service operations
Activities that may impact the availability, integrity, or stability of Falcon services – such as Denial-of-Service (DoS) attacks, flooding, spam, brute force, or other disruptions – are prohibited.
Responsible disclosure
Report discovered vulnerabilities confidentially to us and refrain from making public announcements until we have had the chance to fix the reported issues.
No social engineering
Do not engage in any form of social engineering attacks, including phishing, pretexting, or similar methods targeting Falcon employees, users, or systems.
Use legal and authorized channels only
Limit your activities to the systems defined in the scope. Unauthorized access to other systems or data is prohibited and may have legal consequences.
Complete and reproducible reporting
Your report should include clearly structured, reproducible steps along with all relevant technical details to facilitate rapid validation and processing. Generic bug reports without reproducible steps, unclear security vulnerabilities, or CVEs without proof will not be rewarded.
Test only within the defined scope
Vulnerabilities in systems outside the defined scope (e.g., www.nordantech.com, staging environments, redirection domains) will not be rewarded and may lead to exclusion from the program.
No physical attacks or threats
Physical security attacks or any form of threats against individuals or facilities are strictly prohibited.
Eligibility
Participants must be of legal age in their country of residence to take part in the Bug Bounty Program and receive rewards.

By participating in the Nordantech Bug Bounty Program, you agree to adhere to these rules and act with responsible intent.
We reserve the right to exclude participants from the program or withhold rewards if these guidelines are violated.

Safe Harbor

Nordantech commits to not pursuing legal action against security researchers who act in good faith and comply with the rules of this program. If you report a vulnerability responsibly and within the terms described above, we will refrain from taking action under criminal law (in particular § 202a of the German Criminal Code), unfair competition law, or similar regulations.

This safe harbor applies exclusively to activities that:

are strictly limited to the systems defined in the scope,
do not compromise, alter, or exfiltrate third-party data,
do not disrupt the operation of our services,
are reported to us promptly and in confidence.

Nordantech reserves the right to revoke this safe harbor if the above conditions are not met.

How do I report a vulnerability?

If you have discovered a potential vulnerability, we appreciate your responsible support in reporting it. Please follow the steps below to submit a report:

Preparing the report

Important: ALWAYS test the vulnerability on our production systems (app.nordantech.com) before submitting a report. Generic or theoretical reports will not be considered.

Your report should contain a clear and detailed description of the issue and ideally include the following information:

Affected service or endpoint (e.g., api.nordan.tech)
Steps to reproduce the vulnerability
Expected vs. actual behavior
Relevant evidence such as screenshots, log files, or proof-of-concept code

Submitting the report

Send your report by email to: security@nordantech.com.

We recommend transmitting sensitive information securely (e.g., via PGP or S/MIME).

Ensuring availability

Our security team may contact you for follow-up questions. Please respond promptly to help speed up the analysis and resolution process.

Feedback and status updates

After receiving your report, our security team will carefully review the issue. We aim to acknowledge all valid reports within 72 hours and keep you informed of the status of triage and resolution. You can expect an update on our findings and potential rewards within 90 days.

Maintaining confidentiality

Do not disclose any details of the reported vulnerability before we have officially confirmed the fix. Reports made public before that point are ineligible for a bounty payment.

What happens after the report?

Upon receiving a vulnerability report, our security team will review its validity, potential impact, and severity. Well-documented and reproducible reports will be prioritized.

We will determine whether the reported vulnerability falls within the defined scope. If it does, it will be classified and evaluated based on the Common Vulnerability Scoring System (CVSS) version 4.0:

https://www.first.org/cvss/calculator/4-0

Our technical team will work promptly to resolve the issue. We will remain in contact with the reporter throughout the process to request further details and provide updates.

After successfully addressing the vulnerability, we will assess the eligibility for a bounty payment according to the criteria of our program and recognize the researcher’s contribution.

Important Notice for Submissions

To qualify for a bounty, the reported vulnerability must meet all criteria: it must be valid and reproducible, fall within the defined scope, have been tested directly on our systems, and must not have been identified using prohibited methods.

NOT accepted:

Generic security reports without platform-specific testing
Theoretical vulnerabilities from CVE databases or security resources
Vulnerabilities that are technically impossible in our architecture
Vulnerabilities with negligible practical exploitability – e.g., theoretical attacks that are not feasible under real-world conditions
Automated scanner output without manual verification
Copy-paste reports from general security resources

Required for valid submissions:

Reproducible steps on app.nordantech.com or related systems
Concrete proof-of-concept with screenshots/videos from Falcon
Evidence that the vulnerability actually exists in our implementation

Duplicate and already known reports

A report will not be rewarded if the reported vulnerability:

has already been reported by another researcher – the bounty goes to the person whose report was received first,
was already known to us prior to the report – e.g., through internal security audits or other internal processes, or
is already being addressed – the vulnerability has already been identified and is currently being fixed.

In all three cases, we will inform submitters of the status of their report and the reason for the rejection.

Bounty payment

We prefer to pay bounties by bank transfer – we will issue a credit note as the billing document. For this we need:

Full name and address
IBAN
Tax number or tax ID (if available)

For smaller amounts, payment via PayPal is also possible – simply provide us with your PayPal email address.

Bounty overview

Category	Low Risk	Medium Risk	High Risk	Critical Risk
CVSS Score	0.1 – 3.9	4.0 – 6.9	7.0 – 8.9	9.0 – 10.0
Bounty	€0 – €100	€100 – €500	€500 – €1,000	€1,000 – €2,000

The final bounty amount is at the discretion of Nordantech and is based on severity, quality of the submission, and actual exploitability of the vulnerability.

Note: Bug bounty payments are generally considered taxable income in Germany – please check this individually.

Vulnerability disclosure

Reports whose details are made public before we have officially confirmed the fix are ineligible for a bounty payment. This applies regardless of how much time has passed since the report was submitted.

This translation is for information purposes only. In the event of any discrepancies between this version and the German version, the German version shall prevail.