Report Security Issues

Reporting Fundamentals

If you discover a security vulnerability on rohmanhardware.com, and follow the principles below, we will not initiate a lawsuit or enforcement action against you in response to your report.

We ask that you:

  1. Give us reasonable time to review and fix the issue before publicly disclosing any information about it or sharing it with others.
  2. Do not access or modify private accounts without the account owner’s consent.
  3. Make a good-faith effort to avoid privacy violations or disruptions, including destruction of data or interruptions to our services.
  4. Do not exploit the vulnerability for any purpose, including demonstrating additional risk or attempting to access sensitive company data.
  5. Comply with all applicable laws and regulations while investigating the issue.

Bug Bounty Program

We recognize and reward security researchers who help us maintain a safe environment by reporting vulnerabilities in our services.

Bounties are awarded at Rohman Hardware’s discretion, based on risk, impact, and other factors. To potentially qualify for a bounty:

  1. Follow the Reporting Fundamentals above.
  2. Report a security bug—a vulnerability in our services or infrastructure that creates a security or privacy risk. Rohman Hardware will determine the severity of the issue.
  3. Submit your report via our security center. Please do not contact employees directly.
  4. If you unintentionally cause a privacy violation or disruption (e.g., accessing account data or service configurations), disclose it in your report.
  5. We investigate and respond to all valid reports. Due to volume, prioritization is based on risk and other factors, so response times may vary.
  6. Rohman Hardware reserves the right to publish reports.

Rewards

Rewards are based on the impact of the vulnerability. The program may be updated over time, and feedback is welcome to improve it.

Guidelines:

  1. Provide detailed reports with reproducible steps. Incomplete reports may not qualify for a bounty.
  2. For duplicate reports, the first complete report will be awarded.
  3. Multiple vulnerabilities caused by a single underlying issue will be treated as one bounty.
  4. Bounty amounts are determined based on impact, ease of exploitation, and quality of report. All rewards are at Rohman Hardware’s discretion.

Severity Levels and Rewards

Critical Vulnerabilities (£200)
Issues that allow privilege escalation, remote code execution, financial theft, or full platform compromise.
Examples:

  • Remote Code Execution / Remote Shell
  • Vertical Authentication Bypass
  • SQL Injection exposing sensitive data
  • Full account access

High Severity Vulnerabilities (£100)
Issues that impact platform security or processes.
Examples:

  • Lateral authentication bypass
  • Disclosure of sensitive company information
  • XSS affecting other users
  • Local file inclusion
  • Insecure authentication cookie handling

Medium Severity Vulnerabilities (£50)
Issues affecting multiple users, requiring minimal or no interaction to exploit.
Examples:

  • Logic flaws or business process defects
  • Insecure object references

Low Severity Vulnerabilities
Issues affecting a single user, requiring significant interaction or preconditions to exploit.
Examples:

  • Open redirect
  • Reflective XSS
  • Low-sensitivity information leaks