Last updated: June 1, 2025

What is the Nordantech Bug Bounty Program?

The Nordantech Bug Bounty Program provides a structured platform for developers and security researchers to responsibly report potential vulnerabilities in our code, infrastructure, or applications. We value responsible disclosure and reward submitted findings depending on their severity and exploitability. The goal is to strengthen the security of our systems together – through practical testing by experts who know how vulnerabilities arise and how to prevent them.

Which digital services are covered by the program?

We welcome reports on vulnerabilities identified in any of the following areas of our Falcon platform:

In scope

The following systems and components are covered by the Nordantech Bug Bounty Program:

• Application: https://app.nordantech.com
• Public API: https://api.nordan.tech
• Production infrastructure: All live systems supporting the core services of the platform
• Production-related subdomains: All subdomains under *.nordan.tech, if they relate to production system components

Out of scope

The following systems and components are excluded from the Bug Bounty Program. Security investigations on these systems are considered unauthorized:

• Nordantech website: https://www.nordantech.com
• Non-production environments: Staging, testing, development, or integration systems
• Information and redirection domains: Domains that do not provide active application functionality (e.g., https://support.nordantech.com or https://status.nordantech.com)

Please note that digital services not listed above are not part of the Bug Bounty Program. A security investigation of such unlisted services may be considered illegal and subject to enforcement.

Rules for the Bug Bounty Program

To ensure a safe, fair, and productive environment for all participants, we ask you to adhere to the following guidelines and terms when participating in the Nordantech Bug Bounty Program:

1. Respect others' privacy
   Do not perform actions that access, alter, or delete data that does not belong to you. Only test with your own accounts and data.

2. Avoid disrupting service operations
   Activities that may impact the availability, integrity, or stability of Falcon services – such as Denial-of-Service (DoS) attacks, flooding, spam, brute force, or other disruptions – are prohibited.

3. Responsible disclosure
   Report discovered vulnerabilities confidentially to us and refrain from making public announcements until we have had the chance to fix the reported issues.

4. No social engineering
   Do not engage in any form of social engineering attacks, including phishing, pretexting, or similar methods targeting Falcon employees, users, or systems.

5. Use legal and authorized channels only
   Limit your activities to the systems defined in the scope. Unauthorized access to other systems or data is prohibited and may have legal consequences.

6. Complete and reproducible reporting
   Your report should include clearly structured, reproducible steps along with all relevant technical details to facilitate rapid validation and processing. Generic bug reports without reproducible steps, unclear security vulnerabilities, or CVEs without proof will not be rewarded.

7. Test only within the defined scope
   Vulnerabilities in systems outside the defined scope (e.g., www.nordantech.com, staging environments, redirection domains) will not be rewarded and may lead to exclusion from the program.

8. No physical attacks or threats
   Physical security attacks or any form of threats against individuals or facilities are strictly prohibited.

9. Eligibility
   Participants must be of legal age in their country of residence to take part in the Bug Bounty Program and receive rewards.

By participating in the Nordantech Bug Bounty Program, you agree to adhere to these rules and act with responsible intent.
We reserve the right to exclude participants from the program or withhold rewards if these guidelines are violated.

Reporting vulnerabilities

If you have discovered a potential vulnerability, we appreciate your responsible support in reporting it. Please follow the steps below to submit a report:

Preparing the report

Important: ALWAYS test the vulnerability on our production systems (app.nordantech.com) before submitting a report. Generic or theoretical reports will not be considered.

Your report should contain a clear and detailed description of the issue and ideally include the following information:

• Affected service or endpoint (e.g., api.nordan.tech)
• Steps to reproduce the vulnerability
• Expected vs. actual behavior
• Relevant evidence such as screenshots, log files, or proof-of-concept code

Submitting the report

Send your report by email to: security@nordantech.com.

We recommend transmitting sensitive information securely (e.g., via PGP or S/MIME).

Ensuring availability

Our security team may contact you for follow-up questions. Please respond promptly to help speed up the analysis and resolution process.

Feedback and status updates

After receiving your report, our security team will carefully review the issue. We aim to acknowledge all valid reports within 72 hours and keep you informed of the status of triage and resolution. You can expect an update on our findings and potential rewards within 90 days.

Maintaining confidentiality

Please do not disclose any details of the vulnerability before we have confirmed and addressed it. We will keep you updated on the progress throughout the process.

Handling reported vulnerabilities

Upon receiving a vulnerability report, our security team will review its validity, potential impact, and severity. Well-documented and reproducible reports will be prioritized.

We will determine whether the reported vulnerability falls within the defined scope. If it does, it will be classified and evaluated based on the Common Vulnerability Scoring System (CVSS) version 4.0:

https://www.first.org/cvss/calculator/4-0

Our technical team will work promptly to resolve the issue. We will remain in contact with the reporter throughout the process to request further details and provide updates.

After successfully addressing the vulnerability, we will assess the eligibility for a bounty payment according to the criteria of our program and recognize the researcher’s contribution.

Important Notice for Submissions

To qualify for a bounty, the reported vulnerability must meet all criteria: it must be valid and reproducible, fall within the defined scope, have been tested directly on our systems, and must not have been identified using prohibited methods.

NOT accepted:

• Generic security reports without platform-specific testing
• Theoretical vulnerabilities from CVE databases or security resources
• Vulnerabilities that are technically impossible in our architecture
• Automated scanner output without manual verification
• Copy-paste reports from general security resources

Required for valid submissions:

• Reproducible steps on app.nordantech.com or related systems
• Concrete proof-of-concept with screenshots/videos from Falcon
• Evidence that the vulnerability actually exists in our implementation

What bounties are paid?

Category	Low Risk	Medium Risk	High Risk	Critical Risk
CVSS Score	0.1 – 3.9	4.0 – 6.9	7.0 – 8.9	9.0 – 10.0
Bounty	€0 – €100	€100 – €500	€500 – €1,000	€1,000 – €2,000

---

This translation is for information purposes only. In the event of any discrepancies between this version and the German version, the German version shall prevail.