Security Bounty Program

If you believe you have found a potential security bug, we’d appreciate a responsible disclosure via email sent to security@luigisbox.com. We’ll provide a financial reward for your report, based on the severity and impact of the reported bug. The maximum reward is 1000 EUR for critical issues.

Before you submit the report, make sure it is not one of the ineligible report types specifically mentioned in this document.

Standard response times

• Acknowledgment: within 2 business days
• Triage and classification: within 7 business days
• Payout: within 30 days

The standard payout tiers are as follows:

• None/Invalid: 0 EUR
• Low: 100 EUR
• Medium: 300 EUR
• High: 500 EUR
• Critical: 1000 EUR

Terms and conditions for payout

• You sign the NDA
• You will issue an invoice from a B2B legal entity
• The country of residence of your legal entity must not be on the EU sanctions list
• You are responsible for tax obligations in your country of residence
• We reserve the right to postpone the payout, or to split the payout into several smaller transactions, in case the volume of reports is high
• We reserve the right to classify the report severity and impact and select the reward amount on our discretion
• Only the first report of any given valid issue will be awarded. Once we receive a report, all other reports of the same issue will be rejected as duplicates. The reports are considered in the order they are received. We rely on mutual trust and do not provide “evidence” of the duplicate.
• We do not negotiate or haggle the bounty amount
• We reserve the right to to deem any issue invalid

Scope

Ineligible vulnerability types

• Issues with SPF, DKIM or DMARC configuration
• Distributed Denial of Service (DDOS)
• Best practice reports without a valid exploit (e.g., use of “weak” TLS ciphers)
• Best practice DNS configuration without a valid exploit
• Issues related to X-Frame-Options
• Logical bugs, or problems that are not security-related