
Ostrom Vulnerability Disclosure Program
Ostrom drives the green energy revolution towards net zero emissions by making renewable energy more accessible & inclusive. By creating a seamless, multilingual, digital-native energy platform, we help consumers switch to, manage and reduce their electricity consumption.
We are already delivering energy in more than 1000 german cities and have won clients from over 140 different traditional providers.
Ostrom is looking forward to building a safe platform for our customers together with the security community.
We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web apps/mobile apps. Good luck, and happy hunting!
Program Rules
- Please DO NOT complete signups/orders in the PRODUCTION environment (api.ostrom.de and join.ostrom.de domains plus signups through our mobile app are OUT of scope)
- Please DO NOT create test reviews in our Trustpilot or Google review accounts.
- Please DO NOT test our customer live chat.
- Please provide detailed reports with reproducible steps.
- Social engineering (e.g. baiting, phishing, pretexting) is prohibited.
- Always do an effort to avoid customer data privacy violations, data deletion, and any interruption of our servers.
- Please only interact with your own account or with the explicit permission of the account holder.
Out of scope vulnerabilities
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Any activity that could lead to the disruption of our service (DoS).
Ratings/Rewards:
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Scope
Program rules
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.