ReelCiety Bug Bounty & Vulnerability Disclosure Program
This Bug Bounty & Vulnerability Disclosure Program defines how ReelCiety and its parent company, Nexa-Group, receive, assess, remediate, and respond to security vulnerabilities reported by independent researchers, partners, and the broader security community. This program exists to encourage responsible disclosure while protecting users, infrastructure, and corporate assets.
1. Program Purpose & Scope
ReelCiety recognizes the importance of collaboration with the global security research community. Responsible vulnerability reporting strengthens our defenses and helps prevent exploitation before harm occurs.
This program applies to:
- All ReelCiety production systems, applications, APIs, and infrastructure
- User-facing web and mobile applications
- Authentication, authorization, and identity systems
- Public APIs and developer tooling
- Supporting services operated directly by Nexa-Group
2. Responsible Disclosure Expectations
Security researchers are expected to follow responsible disclosure principles when identifying vulnerabilities. This ensures risks are mitigated before they can be abused.
Reporters must:
- Provide clear and reproducible steps
- Avoid exploiting vulnerabilities beyond proof-of-concept
- Refrain from accessing or modifying user data
- Not disclose vulnerabilities publicly before remediation
- Cooperate with investigation and remediation efforts
3. In-Scope Vulnerabilities
Examples of vulnerabilities generally considered in scope include:
- Authentication and authorization bypasses
- Remote code execution
- Privilege escalation
- Account takeover vulnerabilities
- Injection attacks (SQL, command, template, etc.)
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- API abuse leading to unauthorized access
- Information disclosure with security impact
4. Out-of-Scope Issues
The following are typically out of scope and may not qualify for rewards:
- Social engineering attacks against users or staff
- Denial-of-service (DoS) or traffic flooding tests
- Physical security issues
- Issues requiring unrealistic user interaction
- Vulnerabilities in third-party services outside our control
- Best-practice recommendations without demonstrable risk
5. Safe Harbor
Nexa-Group provides safe harbor for researchers who:
- Follow this policy in good faith
- Avoid data destruction or service disruption
- Do not extort or threaten disclosure
- Allow reasonable time for remediation
Safe harbor does not apply to actions that intentionally harm users, violate laws, or exceed the scope of responsible testing.
6. Submission Process
Vulnerabilities should be reported as soon as they are discovered. Reports must include:
- Description of the issue
- Affected systems or endpoints
- Steps to reproduce
- Potential impact assessment
- Any supporting screenshots or logs
7. Triage & Assessment
Upon receipt, reports are triaged by the security team to determine severity, scope, and risk. Severity classification considers exploitability, impact, and likelihood.
Possible outcomes include:
- Immediate remediation for critical issues
- Scheduled fixes for moderate risks
- Request for additional information
- Closure if out of scope or not reproducible
8. Remediation & Validation
Fixes are implemented following secure development practices and validated through testing. Reporters may be invited to confirm remediation where appropriate.
9. Bug Bounty Rewards
ReelCiety may offer monetary or non-monetary rewards for eligible vulnerabilities based on:
- Severity and impact
- Quality of report
- Originality of discovery
- Compliance with disclosure guidelines
Rewards are discretionary and subject to program rules, jurisdictional limitations, and internal review.
10. Confidentiality & Disclosure
All vulnerability reports are treated as confidential. Public disclosure may occur only after remediation and with mutual agreement.
11. Abuse of the Program
The program must not be used to:
- Threaten or extort
- Gain unauthorized access
- Disrupt services
- Collect user data
Abuse may result in disqualification and legal action.
12. Legal Considerations
Participation does not grant ownership of vulnerabilities. All intellectual property related to remediation belongs to Nexa-Group.
13. Program Changes
ReelCiety reserves the right to modify, suspend, or terminate this program at any time.
14. Contact
Vulnerability Reporting: security@reelciety.com
Bug Bounty Program: security@reelciety.com
Legal & Compliance: legal@nexa-group.org
