What is the Nordantech Security Bounty Program?
The Nordantech Security Bounty Program provides a structured platform for developers and security researchers to responsibly report potential vulnerabilities in our code, infrastructure, or applications. We value responsible disclosure and reward submitted findings depending on their severity and exploitability. The goal is to strengthen the security of our systems together – through practical testing by experts who know how vulnerabilities arise and how to prevent them.
Which digital services are covered by the program?
We welcome reports on vulnerabilities identified in any of the following areas of our Falcon platform:
In scope
The following systems and components are covered by the Nordantech Security Bounty Program:
- Application: https://app.nordantech.com
- Public API: https://api.nordan.tech
- Production infrastructure: All live systems supporting the core services of the platform
- Production-related subdomains: All subdomains under
*.nordan.tech, if they relate to production system components
Out of scope
The following systems and components are excluded from the Security Bounty Program. Security investigations on these systems are considered unauthorized:
- Nordantech website: https://www.nordantech.com
- Non-production environments: Staging, testing, development, or integration systems
- Information and redirection domains: Domains that do not provide active application functionality (e.g., https://support.nordantech.com or https://status.nordantech.com)
Please note that digital services not listed above are not part of the Security Bounty Program. A security investigation of such unlisted services may be considered illegal and subject to enforcement.
Rules for the Security Bounty Program
To ensure a safe, fair, and productive environment for all participants, we ask you to adhere to the following guidelines and terms when participating in the Nordantech Security Bounty Program:
Respect others' privacy
Do not perform actions that access, alter, or delete data that does not belong to you. Only test with your own accounts and data.Avoid disrupting service operations
Activities that may impact the availability, integrity, or stability of Falcon services – such as Denial-of-Service (DoS) attacks, flooding, spam, brute force, or other disruptions – are prohibited.Responsible disclosure
Report discovered vulnerabilities confidentially to us and refrain from making public announcements until we have had the chance to fix the reported issues.No social engineering
Do not engage in any form of social engineering attacks, including phishing, pretexting, or similar methods targeting Falcon employees, users, or systems.Use legal and authorized channels only
Limit your activities to the systems defined in the scope. Unauthorized access to other systems or data is prohibited and may have legal consequences.Complete and reproducible reporting
Your report should include clearly structured, reproducible steps along with all relevant technical details to facilitate rapid validation and processing.Test only within the defined scope
Vulnerabilities in systems outside the defined scope (e.g., www.nordantech.com, staging environments, redirection domains) will not be rewarded and may lead to exclusion from the program.No physical attacks or threats
Physical security attacks or any form of threats against individuals or facilities are strictly prohibited.Eligibility
Participants must be of legal age in their country of residence to take part in the Security Bounty Program and receive rewards.
By participating in the Nordantech Security Bounty Program, you agree to adhere to these rules and act with responsible intent.
We reserve the right to exclude participants from the program or withhold rewards if these guidelines are violated.
Reporting vulnerabilities
If you have discovered a potential vulnerability, we appreciate your responsible support in reporting it. Please follow the steps below to submit a report:
Preparing the report
Your report should contain a clear and detailed description of the issue and ideally include the following information:
- Affected service or endpoint (e.g.,
api.nordan.tech) - Steps to reproduce the vulnerability
- Expected vs. actual behavior
- Relevant evidence such as screenshots, log files, or proof-of-concept code
Submitting the report
Send your report by email to: security@nordantech.com.
We recommend transmitting sensitive information securely (e.g., via PGP or S/MIME).
Ensuring availability
Our security team may contact you for follow-up questions. Please respond promptly to help speed up the analysis and resolution process.
Maintaining confidentiality
Please do not disclose any details of the vulnerability before we have confirmed and addressed it. We will keep you updated on the progress throughout the process.
We aim to acknowledge all valid reports within 72 hours and keep you informed of the status of triage and resolution.
Handling reported vulnerabilities
Upon receiving a vulnerability report, our security team will review its validity, potential impact, and severity. Well-documented and reproducible reports will be prioritized.
We will determine whether the reported vulnerability falls within the defined scope. If it does, it will be classified and evaluated based on the Common Vulnerability Scoring System (CVSS) version 4.0:
https://www.first.org/cvss/calculator/4-0
Our technical team will work promptly to resolve the issue. We will remain in contact with the reporter throughout the process to request further details and provide updates.
After successfully addressing the vulnerability, we will assess the eligibility for a bounty payment according to the criteria of our program and recognize the researcher’s contribution.
What bounties are paid?
| Category | Low Risk | Medium Risk | High Risk | Critical Risk |
|---|---|---|---|---|
| CVSS Score | 0.1 – 3.9 | 4.0 – 6.9 | 7.0 – 8.9 | 9.0 – 10.0 |
| Bounty | €0 – €100 | €100 – €500 | €500 – €1,000 | €1,000 – €5,000 |