🛡️ RISCO Public Bug Bounty Program

17.09.2025
2min
RISCO's Bounty Program Banner

🎯 Purpose
We are committed to the security and privacy of our customers and systems. We recognize the valuable role that security researchers play in improving our ecosystem and welcome responsible disclosures of vulnerabilities.

✅ Scope

We accept vulnerability reports affecting the following:

In-Scope Targets

  • *.riscogroup.com
  • *.riscocloud.com
  • Web application portal (authenticated and unauthenticated)
  • APIs and mobile apps owned by Risco LTD
  • Cloud services managed directly by Risco LTD
  • RISCO’s physical products

❌ Out-of-Scope

  • 3rd-party platforms or vendors (unless explicitly authorized)
  • Denial-of-Service (DoS/DDoS) or rate-limit testing without coordination
  • Social engineering or Phishing
  • Physical attacks or internal employee accounts
  • Staging, QA, or sandbox environments unless explicitly whitelisted
  • Issues that do not represent security vulnerability (e.g., UI bugs, spelling errors)

🔒 Rules of Engagement

By participating, you agree to the following:

  • Do not access, modify, or destroy data that doesn’t belong to you.
  • No automated scanning or brute-force attacks.
  • Do not disrupt services or degrade user experience.
  • No public disclosure of vulnerabilities prior to a fix or written permission.
  • Submit a clear, reproducible Proof of Concept (PoC).
  • Operate in good faith and within legal boundaries.

We will not pursue legal action against security researchers who follow these rules.

🏆 Bounty Rewards

We offer monetary rewards for eligible, high-quality reports based on severity:

SeverityDescriptionReward Range
CriticalUnauthenticated RCE, full account takeover, major data exposure$3,000 – $7,000
HighPrivilege escalation, limited data exposure, major business logic flaws$1,000 – $3,000
MediumRate-limit bypasses, stored XSS, authenticated abuse of functionality$500 – $1,500
LowReflected XSS, CSRF, information leaks with limited impact$100 – $500
InformationalBest practice issues, headers, version exposureRecognition only

Final reward amounts are at our discretion, based on:

  • Quality of the report and PoC
  • Exploitability and impact
  • Whether it was the first valid report

📝 How to Report

Please email us at security@riscogroup.com with the following:

  • Description of the vulnerability
  • Affected endpoint or system
  • Steps to reproduce
  • Any screenshots, logs, or proof-of-concept code
  • Optional: Your HackerOne/Bugcrowd/LinkedIn/GitHub profile

🏅 Recognition

Valid submissions may receive:

  • Public listing in our Security Researcher Hall of Fame
  • Priority consideration for future private bounty programs

⏱️ Response Times

We aim to:

  • Acknowledge your report within 2 business days
  • Provide a triage status within 7 business days

Deliver resolution or status updates within 30 days

📄 Legal Safe Harbor

We support security research that follows the rules above and will not initiate legal action against researchers who act in good faith. If you’re unsure whether a specific activity is in scope, contact us first.