Report Security Issues

Security Vulnerability Disclosure & Bounty Program

If you discover a security vulnerability on bricobodrum.com, we encourage you to report it to us immediately. We will review all legitimate vulnerability reports and do our best to resolve the matter quickly.

Before reporting, please read this document carefully, including:

  • Fundamentals

  • Bounty Program

  • Reward Guidelines

  • Non-Reportable Issues

1. Fundamentals

If you follow the principles below when reporting a security issue to Brico Bodrum, we will not pursue legal action or enforcement against you in response to your report.

We ask that you:

  1. Allow us reasonable time to investigate and fix the issue before making any information public or sharing it with others.

  2. Do not interact with private accounts (including modifying or accessing data) without the account owner’s consent.

  3. Make a good faith effort to avoid privacy violations, destruction of data, or disruption of services.

  4. Do not exploit the vulnerability you discover for any reason (e.g., accessing sensitive company data, escalating privileges, or attempting to chain further exploits).

  5. Do not violate any applicable laws or regulations while conducting security research.

2. Bounty Program

We value and reward security researchers who help us protect our platform. Monetary bounties are awarded at the sole discretion of Brico Bodrum, based on risk, impact, and other factors.

To qualify:

  1. Follow our fundamentals above.

  2. Report a genuine security bug that creates a security or privacy risk.

  3. Submit your report via our Security Center (please do not contact employees directly).

  4. If you accidentally access sensitive data or configurations, disclose this in your report.

  5. Understand that response times may vary due to report volume and prioritisation by risk.

  6. We reserve the right to publish reports for transparency and learning purposes.

3. Rewards

Rewards depend on the severity and impact of the vulnerability.

  • Critical Severity (Β£200)

    • Remote Code Execution (RCE)

    • Remote Shell/Command Execution

    • Vertical Authentication Bypass (e.g., escalate from user β†’ admin)

    • SQL Injection leaking targeted data

    • Full account takeover

  • High Severity (Β£100)

    • Lateral authentication bypass

    • Disclosure of sensitive corporate information

    • Stored XSS affecting another user

    • Local file inclusion

    • Insecure authentication cookie handling

  • Medium Severity (Β£50)

    • Logic or business process flaws

    • Insecure Direct Object References (IDOR)

    • Design flaws affecting multiple users with minimal interaction

  • Low Severity (Discretionary)

    • Open redirect

    • Reflected XSS

    • Low sensitivity information leaks

    • Issues requiring significant user interaction or prerequisites (e.g., MITM)

Reward Guidelines:

  1. Reports must include detailed steps to reproduce the issue.

  2. Duplicate reports: bounty goes to the first valid submission.

  3. Multiple vulnerabilities caused by the same underlying issue may be combined into a single bounty.

  4. Reward amounts depend on impact, exploitability, and report quality.

  5. Final reward amounts are determined at our discretion.

4. Contact

If you believe you have found a vulnerability, please contact us through our Security Center or directly at:

Brico Bodrum – Security Team
Jetselaan 77
1090 Jette, Belgium

πŸ“§ security@bricobodrum.com