Bug Bounty & Vulnerability Disclosure Program

1. Program Purpose & Scope

ReelCiety recognizes the importance of collaboration with the global security research community. Responsible vulnerability reporting strengthens our defenses and helps prevent exploitation before harm occurs.

This program applies to:

• All ReelCiety production systems, applications, APIs, and infrastructure
• User-facing web and mobile applications
• Authentication, authorization, and identity systems
• Public APIs and developer tooling
• Supporting services operated directly by Nexa-Group

2. Responsible Disclosure Expectations

Security researchers are expected to follow responsible disclosure principles when identifying vulnerabilities. This ensures risks are mitigated before they can be abused.

Reporters must:

• Provide clear and reproducible steps
• Avoid exploiting vulnerabilities beyond proof-of-concept
• Refrain from accessing or modifying user data
• Not disclose vulnerabilities publicly before remediation
• Cooperate with investigation and remediation efforts

3. In-Scope Vulnerabilities

Examples of vulnerabilities generally considered in scope include:

• Authentication and authorization bypasses
• Remote code execution
• Privilege escalation
• Account takeover vulnerabilities
• Injection attacks (SQL, command, template, etc.)
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• API abuse leading to unauthorized access
• Information disclosure with security impact

4. Out-of-Scope Issues

The following are typically out of scope and may not qualify for rewards:

• Social engineering attacks against users or staff
• Denial-of-service (DoS) or traffic flooding tests
• Physical security issues
• Issues requiring unrealistic user interaction
• Vulnerabilities in third-party services outside our control
• Best-practice recommendations without demonstrable risk

5. Safe Harbor

Nexa-Group provides safe harbor for researchers who:

• Follow this policy in good faith
• Avoid data destruction or service disruption
• Do not extort or threaten disclosure
• Allow reasonable time for remediation

Safe harbor does not apply to actions that intentionally harm users, violate laws, or exceed the scope of responsible testing.

6. Submission Process

Vulnerabilities should be reported as soon as they are discovered. Reports must include:

• Description of the issue
• Affected systems or endpoints
• Steps to reproduce
• Potential impact assessment
• Any supporting screenshots or logs

7. Triage & Assessment

Upon receipt, reports are triaged by the security team to determine severity, scope, and risk. Severity classification considers exploitability, impact, and likelihood.

Possible outcomes include:

• Immediate remediation for critical issues
• Scheduled fixes for moderate risks
• Request for additional information
• Closure if out of scope or not reproducible

8. Remediation & Validation

Fixes are implemented following secure development practices and validated through testing. Reporters may be invited to confirm remediation where appropriate.

9. Bug Bounty Rewards

ReelCiety may offer monetary or non-monetary rewards for eligible vulnerabilities based on:

• Severity and impact
• Quality of report
• Originality of discovery
• Compliance with disclosure guidelines

Rewards are discretionary and subject to program rules, jurisdictional limitations, and internal review.

10. Confidentiality & Disclosure

All vulnerability reports are treated as confidential. Public disclosure may occur only after remediation and with mutual agreement.

11. Abuse of the Program

The program must not be used to:

• Threaten or extort
• Gain unauthorized access
• Disrupt services
• Collect user data

Abuse may result in disqualification and legal action.

12. Legal Considerations

Participation does not grant ownership of vulnerabilities. All intellectual property related to remediation belongs to Nexa-Group.

13. Program Changes

ReelCiety reserves the right to modify, suspend, or terminate this program at any time.

14. Contact

Vulnerability Reporting: security@reelciety.com
Bug Bounty Program: security@reelciety.com
Legal & Compliance: legal@nexa-group.org