Rewards and Eligibility

Forculus may, at its sole discretion, offer a reward as recognition for validated security vulnerability reports submitted in good faith. Rewards are not guaranteed. Whether a reward is granted, and the type or amount of that reward, is determined exclusively by Forculus based on severity, impact, exploitability, report quality, and adherence to this policy.

Eligible rewards may include public recognition in our Hall of Fame, limited merchandise, or a monetary bounty for critical, high-impact findings. Lower-risk or informational issues generally receive non-monetary recognition only. Duplicate reports, previously known issues, non-exploitable scenarios, and submissions that do not meet evidence requirements are not eligible for any reward.

All validated security vulnerability reports will receive at a minimum a certificate of appreciation.

To remain eligible, researchers must follow coordinated disclosure practices, avoid service disruption, and act without malicious intent, consistent with ISO 27001 A.5 - A.6, SOC 2 Security and Confidentiality criteria, and NIS2 expectations for responsible handling of vulnerabilities. Any attempt to demand payment or apply pressure for compensation voids eligibility.

Forculus retains full authority to determine reward outcomes, limit availability, or decline rewards entirely when circumstances warrant.

Reward Levels

The information below represents the reward levels Forculus uses for severity driven handling and controlled reward governance. The reward levels and examples listed are provided for guidance only and do not constitute a contractual promise, offer, or obligation. Forculus reserves the sole right to determine eligibility, severity classification, and whether any reward—monetary or otherwise—is granted. All rewards are discretionary, may be withheld for any reason, and are subject to change without prior notice. Submission of a report does not create any legal relationship, entitlement, or expectation of compensation.

Severity Level: Low

Typical Impact Profile: Minimal security impact; limited or no exploitability; informational or hygiene issues (e.g., minor email misconfigurations, missing headers).

Eligibility Requirements: Report must be reproducible, non-disruptive, and submitted in good faith.

Reward Type: Public Recognition Only

Notes: No monetary rewards. Forculus may decline recognition for trivial or already-known issues.

Severity Level: Medium

Typical Impact Profile: Observable impact but limited scope; partial exposure or misconfigurations without direct compromise potential.

Eligibility Requirements: Clear proof-of-concept required; must follow coordinated disclosure rules.

Reward Type: Public Recognition + Optional Merchandise

Notes: Rewards granted at Forculus’ discretion. Not all valid findings qualify.

Severity Level: High

Typical Impact Type: Significant security risk; potential compromise of confidentiality, integrity, or availability; high exploitability.

Eligibility Requirements: High-quality submission with detailed evidence and real-world scenario analysis.

Reward Type: Public Recognition + Merchandise (and exceptionally, monetary reward if impact is substantial)

Notes: Monetary rewards are not guaranteed and are granted only when justified by risk.

Severity Level: Critical

Typical Impact Type: Severe, systemic, or easily exploitable vulnerabilities leading to full compromise or impactful operational risk.

Eligibility Requirements: Complete, reproducible proof; responsible handling with no service disruption.

Reward Type: Public Recognition + Monetary Reward (amount determined solely by Forculus)

Notes: Reward magnitude depends on impact, exploitability, and quality. Duplicate reports receive no reward.

Certificate Usage Policy

Forculus may issue a Certificate of Appreciation to security researchers who submit validated findings in good faith and in full compliance with this Responsible Disclosure Policy. The certificate serves solely as an acknowledgment of ethical reporting and constructive collaboration.

Permitted Use

Researchers may use the certificate for the following purposes only:

  • Inclusion in a personal portfolio, CV, or professional skills profile

  • Display on professional networking platforms (e.g., LinkedIn), provided the certificate is shown accurately and unaltered

  • Submission to bug bounty reputation platforms or prospective employers as evidence of ethical conduct

  • Personal recordkeeping as proof of participation in coordinated vulnerability disclosure

Prohibited Use

To ensure legal clarity and protect all parties, the certificate may not be used to:

  • Imply endorsement, employment, affiliation, or partnership with Forculus

  • Support commercial, marketing, promotional, or advertising activities

  • Justify or authorize any continued security testing outside the defined scope

  • Misrepresent capabilities, responsibilities, or any relationship with Forculus

  • Modify, alter, or reproduce the certificate in any misleading manner

Legal and Administrative Conditions

  • The certificate does not create any contractual rights, entitlements, or ongoing obligations.

  • Forculus reserves the right to verify authenticity, revoke a certificate in cases of misuse, and update this policy without prior notice.

  • The certificate does not provide immunity from legal action for any activities conducted outside the boundaries of this policy or outside authorized testing practices.

  • Use of the certificate must remain consistent with ISO 27001 (A.5 - A.6), SOC 2 Security and Confidentiality principles, and NIS2 expectations for responsible vulnerability handling.