Bug Bounty Program

Solarius values the security of our Services and the trust of our users. Our Bug Bounty Program is designed to reward security researchers and ethical hackers who help us identify and resolve valid vulnerabilities.

Responsible Disclosure

If you discover a security vulnerability in any Solarius product or service, we ask that you:

  • Report it directly to us at bugs@solarius.me
  • Avoid disclosing the issue publicly until it is resolved
  • Avoid accessing or modifying data without permission
  • Act in good faith and comply with applicable laws

Scope

We are interested in reports for: authentication or authorization bypasses, remote code execution, privilege escalation, data leakage or exposure, remote denial of service, cross-site scripting (XSS), and other vulnerabilities that could compromise the security of our Services.

Minor issues (e.g., missing headers, clickjacking without real impact, outdated libraries without proof of exploitability) are typically out of scope unless chained with more severe vulnerabilities.

Rewards

We offer monetary rewards for valid, previously unreported vulnerabilities. Rewards are based on severity, impact, and quality of report, ranging from:

  • $100 - Low severity
  • $250-$500 - Medium severity
  • $750+ - High/critical severity

Final reward decisions are at the sole discretion of the Solarius security team.

Eligibility

To qualify for a reward:

  • You must be the first to report the issue
  • You must follow responsible disclosure practices
  • You must not violate any laws or user privacy (accessing or modifying user data without permission is strictly prohibited, in cases where it happens accidentally, you must notify us and not retain any data)
  • You must provide a working proof-of-concept (if applicable)

Employees, contractors, and vendors of Solarius B.V. are not eligible.

Acknowledgments

We appreciate every report and may list valid contributors on our disclosures portal unless you request anonymity. We may also provide public acknowledgment of significant contributions. Critical vulnerabilities may be disclosed publicly after resolution, with your permission.

Changes to This Policy

We may update these terms with 30 days notice (email or in-platform notification). Continued use constitutes acceptance.

Contact Us

For questions or concerns about these terms, please contact us at: legal@solarius.me or through our support portal at solarius.me.