Report a Vulnerability
We take the security of our systems seriously. If you’ve found a security vulnerability, we’d love to hear from you. We value the work of security researchers and offer rewards for responsibly disclosed vulnerabilities — from a place on our Hall of Fame to monetary bounties for critical findings.
How to Report
The quickest way to report a vulnerability is through our Service Desk. It guides you through the submission process and ensures we have all the information needed for a fast response.
Important: We do not accept automated scanner reports or purely AI-generated submissions without manual verification.
Alternatively, you can send an email to security@seibert.group. If you report via email, please include the following information:
- Affected System — Which URL/domain is affected?
- Vulnerability Type — e.g., XSS, SQL Injection, IDOR
- Reproduction Steps — How can we replicate this?
- Impact — What can an attacker achieve?
- Proof of Concept — Screenshot, video, or code (optional)
- Your Contact — Email for follow-up
Scope
The following assets are covered by this program:
| Asset | Description |
|---|---|
| Systems with security.txt | All systems serving /.well-known/security.txt |
| Systems with DNS security entry | All domains with a security DNS TXT record |
| Internal systems | If accidentally public, marked via security.txt or DNS record |
The following assets are explicitly excluded:
| Exclusion | Note |
|---|---|
| Atlassian Marketplace apps | Covered by the Atlassian Marketplace Bug Bounty Program |
| Hosted Atlassian instances | Confluence, Jira, etc. operated by Seibert Group |
| Customer applications | Systems operated by us on behalf of customers |
| Third-party services | Not our responsibility |
Rewards
All researchers who report valid vulnerabilities are recognized on our Hall of Fame. Critical and high severity findings are additionally eligible for a monetary reward.
| Severity | BugCrowd VRT | Reward |
|---|---|---|
| Critical | P1 | up to $1,500 + Hall of Fame |
| High | P2 | up to $900 + Hall of Fame |
| Medium | P3 | Hall of Fame |
| Low | P4 | Hall of Fame |
Severity Classification
We use Bugcrowd’s Vulnerability Rating Taxonomy (VRT) as a reference for severity classification. The final rating is determined by Seibert Group based on actual business impact.
| Our Rating | BugCrowd VRT | Examples |
|---|---|---|
| Critical | P1 | RCE, SQL Injection with data access, Authentication Bypass, XXE, Key Leak |
| High | P2 | Stored XSS, App-wide CSRF, SSRF (high impact), Application-wide DoS |
| Medium | P3 | Reflected XSS, 2FA Bypass, Subdomain Takeover, SSRF (scan) |
| Low | P4 | Clickjacking (sensitive action), IDOR (complex IDs), Token Leakage |
| Not eligible | P5 | Self-XSS, Missing Headers, Internal IP Disclosure |
Not Eligible
The following findings are not accepted as vulnerabilities:
- Missing security headers (CSP, HSTS, X-Frame-Options)
- DNS/email configuration (SPF, DMARC, DKIM)
- SSL/TLS settings
- Clickjacking on non-sensitive pages or without demonstrated impact
- Self-XSS
- Internal IP disclosure
- Rate limiting without concrete exploit
- Logout CSRF
- Username/email enumeration
- Missing autocomplete attributes
- Scanner-only results
- Previously reported vulnerabilities
- Third-party vulnerabilities without proof of exploit
Rules of Engagement
Allowed
- Testing on your own accounts
- Manual testing and custom scripts
- Non-destructive proof of concepts
Not Allowed
- Automated vulnerability scanners
- Accessing others’ data
- Social engineering against employees
- Denial of Service testing
- Physical security testing
- Public disclosure without our approval
Confidentiality
All reported vulnerabilities must be treated as confidential. You may not disclose any details about the vulnerability — including its existence — to any third party without our explicit written approval. This applies regardless of whether the vulnerability has been fixed.
Violation of this confidentiality requirement will result in:
- No bounty payment
- Removal from the Hall of Fame
- Seibert Group reserves the right to take further action
Our Process
Once we receive your report, here’s what happens:
| Step | Timeframe |
|---|---|
| Automatic acknowledgment | Immediately upon receipt |
| Personal response | Within 3 business days* |
| Initial assessment | Within 7 business days* |
| Remediation (critical/high) | Within 3 months |
| Fix confirmation | You’ll be notified once the issue is resolved |
*Business days = Monday to Friday, excluding German public holidays (Hesse region)
Safe Harbor
We will not pursue legal action against researchers who:
- Act in good faith
- Follow this policy
- Report responsibly
- Do not exfiltrate data or cause damage