Bug Bounty


Responsible Disclosure / Bug Bounty

25Space is currently not part of a public bug bounty platform. However, we welcome responsible disclosures and may offer rewards at our discretion, depending on impact, quality of the report, and scope.


Important notice: Due to a significant increase in AI-generated and low-quality submissions, we are temporarily limiting the scope of our current bug bounty program. Many recent reports have been unnecessarily lengthy, factually inaccurate, or not aligned with the intended purpose of responsible security vulnerability reporting. While we will continue to review all incoming submissions with appropriate care and scrutiny, we reserve the right to adjust our handling, prioritization, and further course of action at our sole discretion. Details regarding internal assessment criteria or follow-up procedures will not be disclosed externally. Thank you for your understanding.



How to report

Send your report to [email protected]. If you want to be added to our security/bug bounty contact list, please mention this in your email.

Safe harbor and rules

Security testing can be illegal if it violates German law or any other applicable law. Our rules do not override any laws. We will not intentionally pursue legal action against researchers who follow the rules below, act in good faith, and do not cause harm, unless we are required to do so by applicable law.
  • Do not disrupt our services: no DDoS, load testing, brute force, scanning at high rates, or actions that degrade availability.
  • Do not access, modify, delete, or exfiltrate data that is not yours. If you encounter sensitive data, stop immediately and report it.
  • No social engineering (e.g., phishing), no physical attacks, and no threats or extortion.
  • Use the minimum testing necessary to demonstrate the issue (proof of concept, not exploitation).
  • Keep it confidential until we have investigated and fixed the issue (coordinated disclosure).

Scope

Only vulnerabilities affecting 25Space-owned systems and services are eligible. Third-party services we do not control may be out of scope. If you are unsure, include the affected hostname(s) and service name in your report.

Out of scope (examples)

  • Denial-of-service (DoS/DDoS), load testing, or rate-based disruption.
  • Spam, email reputation issues, or generic scanner reports without a verifiable security impact.
  • Social engineering, credential stuffing, or attacks against our customers.
  • Issues requiring physical access or attacks on end-user devices.
  • Reports that only describe theoretical risk without reproduction steps.

What to include in a report

  • Affected URL / endpoint / hostname and product/service name
  • Clear reproduction steps (step-by-step)
  • Proof of impact (what an attacker can achieve)
  • Evidence (screenshots, logs, request/response samples)
  • Your proposed mitigation (optional)

Response timeline

We aim to acknowledge reports within a reasonable timeframe. Validation and remediation can take time depending on severity and complexity. In many cases, a review window of up to 14-20 days is normal.

Rewards / Payments

Any reward is voluntary and granted at our sole discretion. There is no entitlement to any payment or consideration. Rewards depend on severity, exploitability, clarity, and novelty (not previously known/reported). Where appropriate, we may offer free 25Space services instead of a cash payout, especially for low-severity findings. Examples (subject to availability and agreement):
  • MailAPI Basic – 12 months
  • Online Cronjob – 12 months
  • Certificate Checker – 12 months
Cash rewards are typically considered in a broad range (e.g., USD 20 to USD 100) depending on the verified impact and scope. Higher amounts are exceptional and require strong evidence of significant risk reduction. Rewards are subject to legal and tax requirements. If local tax law requires an invoice or other documentation, we may be unable to process a cash payment without it. Service credits, where offered, are provided for a defined period and then automatically revert to regular pricing under the terms in effect at that time. Standard terms of business and use apply.

Duplicate / known issues

We may already be aware of certain issues (internally or via prior reports). Duplicate reports are appreciated, but usually not eligible for additional rewards. For security reasons, we do not publish a public list of known issues.

Legal note

Nothing on this page creates any contractual obligation. This program is a voluntary good-faith initiative by 25Space.