Bug Bounty Program

At Ordnary (KVK: 95732888), we take security seriously. We value the security community and believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users. This Bug Bounty Program outlines our guidelines for security researchers who wish to report vulnerabilities.

Program Overview

Our Bug Bounty Program rewards security researchers who discover and responsibly disclose security vulnerabilities in our systems. We encourage ethical hackers and security researchers to help us keep Ordnary and our users safe.

Rewards & Bounties

As a startup, we offer modest monetary rewards based on the severity and impact of the vulnerability discovered. While our budget is limited, we are committed to recognizing valuable security research:

Critical Severity (€250 - €500)

• Remote code execution on production systems
• SQL injection leading to data breach
• Authentication bypass affecting all users
• Full account takeover without user interaction
• Direct database access or exposure

High Severity (€100 - €250)

• Cross-Site Scripting (XSS) with significant impact
• Cross-Site Request Forgery (CSRF) on critical actions
• Server-Side Request Forgery (SSRF)
• Privilege escalation
• Broken authentication or session management
• Exposure of sensitive user data

Medium Severity (€50 - €100)

• Information disclosure (non-sensitive data)
• Business logic flaws
• Reflected XSS with limited impact
• Insecure direct object references
• Rate limiting bypass

Low Severity (Acknowledgment)

• Self-XSS
• Missing security headers (minor)
• UI redressing/clickjacking
• Information leakage (minimal impact)

Note: Final reward amounts are determined by Ordnary based on impact, exploitability, and quality of the report. Low severity issues receive public acknowledgment but no monetary reward.

Scope

The following assets are within the scope of our Bug Bounty Program:

In Scope

• ordnary.com - Main website and all subdomains
• MockScene Platform - Application and API endpoints
• Gradient Platform - Learning management system
• Mobile Applications - iOS and Android apps (when available)
• API Endpoints - All public and authenticated APIs
• Authentication Systems - Login, registration, password reset flows

Out of Scope

• Third-party services and integrations
• Social engineering attacks
• Physical security issues
• Denial of Service (DoS/DDoS) attacks
• Spam or social engineering reports
• Reports from automated tools without manual verification
• Issues already reported or being fixed
• Theoretical vulnerabilities without proof of concept

Submission Guidelines

What to Include in Your Report

A good vulnerability report should include:

• Detailed Description: Clear explanation of the vulnerability
• Steps to Reproduce: Step-by-step instructions to replicate the issue
• Proof of Concept: Screenshots, videos, or code demonstrating the vulnerability
• Impact Assessment: Potential impact and attack scenarios
• Affected URLs/Endpoints: Specific locations where the vulnerability exists
• Suggested Fix: (Optional) Recommendations for remediation
• Environment Details: Browser, OS, tool versions used

How to Submit

Send your vulnerability reports to: security@ordnary.com

For sensitive reports, you may encrypt your message using our PGP key (available upon request).

Response Timeline

• Initial Response: Within 48 hours
• Validation: Within 5 business days
• Resolution Timeline: Based on severity
  • Critical: 7 days
  • High: 14 days
  • Medium: 30 days
  • Low: 60 days
• Reward Payment: Within 30 days after fix validation

Rules & Guidelines

Responsible Disclosure

To participate in our Bug Bounty Program, you must:

• Make a good faith effort to avoid privacy violations, data destruction, and service disruption
• Only interact with accounts you own or with explicit permission from the account holder
• Do not perform actions that could harm the reliability/integrity of our services
• Do not access or modify data that does not belong to you
• Do not exfiltrate data from our services
• Give us reasonable time to fix the issue before public disclosure
• Do not publicly disclose the vulnerability until we have released a fix

Testing Guidelines

• Use test accounts for testing (you may create them)
• Do not send unsolicited emails or spam users
• Do not run automated scanners without permission
• Limit your testing to what is necessary to demonstrate the vulnerability
• Do not exploit the vulnerability beyond the minimum necessary to prove it exists

Eligibility

• You must be the first to report the vulnerability
• The vulnerability must be a qualifying issue (within scope and severity)
• You must comply with all program rules
• You must not be a current or former employee, contractor, or immediate family member
• You must be at least 18 years old (or have parental consent)
• Participants from countries under sanctions may be ineligible for monetary rewards

Disqualifications

The following will result in disqualification from the program:

• Violations of program rules
• Social engineering of Ordnary employees or contractors
• Testing third-party applications or services
• Public disclosure before fix is deployed
• Demanding payment or threatening disclosure
• Submitting the same vulnerability to multiple parties simultaneously

Hall of Fame

With your permission, we will acknowledge security researchers who have helped make Ordnary more secure:

2025 Contributors

Be the first to appear on our Hall of Fame! Submit a valid vulnerability report to get started.

Non-Qualifying Vulnerabilities

The following are generally not eligible for bounties:

• Missing security best practices without proof of exploitability
• Clickjacking on pages without sensitive actions
• CSRF on forms available to anonymous users
• Missing HTTP security headers without demonstrated impact
• SSL/TLS configuration issues
• SPF/DMARC/DKIM issues without demonstrated abuse
• Reports from automated tools without manual validation
• Self-XSS that cannot be used to exploit other users
• Logout CSRF
• Username/email enumeration
• Host header injection without proof of exploitability
• Open redirects that cannot be exploited
• Rate limiting on non-critical functionality

Tips for Researchers

• Quality over Quantity: One well-documented high-severity bug is better than ten low-quality reports
• Be Thorough: Detailed reproduction steps help us validate and fix faster
• Check for Duplicates: Search our security advisories before submitting
• Be Patient: Validation and fixing takes time, especially for complex issues
• Stay Professional: Clear communication helps everyone
• Read the Guidelines: Understanding scope and rules saves time

Safe Harbor

Ordnary commits to the following Safe Harbor provisions for security researchers:

• We will not pursue legal action against researchers who discover and report vulnerabilities in accordance with this policy
• We will work with you to understand and validate your report
• We will acknowledge your contribution (with your permission)
• We will keep you updated on the status of your report

If legal action is initiated by a third party against you related to your participation in this program, we will take steps to make it known that your actions were conducted in compliance with this policy.

Contact Information

For security-related inquiries and vulnerability reports:

Email: security@ordnary.com
PGP Key: Available upon request
Company: Ordnary
KVK: 95732888
Location: Netherlands

Legal

By participating in our Bug Bounty Program, you agree to:

• Follow all program rules and guidelines
• Comply with all applicable laws and regulations
• Grant Ordnary the right to use your name and report details for acknowledgment purposes

Ordnary reserves the right to modify or cancel this program at any time. We reserve the right to determine the severity and validity of each report and the amount of any reward.

Program Updates

This Bug Bounty Program may be updated periodically. Please check this page regularly for the latest guidelines and scope. The "Last updated" date at the top indicates when changes were last made.

Thank You

Thank you for helping us keep Ordnary secure! Your efforts help protect our users and improve the security of our products. We appreciate the security research community dedication to making the internet safer for everyone.

Questions? Contact us at security@ordnary.com