Ostrom Vulnerability Disclosure Program

  • Safe harbor
  • No collaboration

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 2
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program

Ostrom drives the green energy revolution towards net zero emissions by making renewable energy more accessible & inclusive. By creating a seamless, multilingual, digital-native energy platform, we help consumers switch to, manage and reduce their electricity consumption.
We are already delivering energy in more than 1000 german cities and have won clients from over 140 different traditional providers.

Ostrom is looking forward to building a safe platform for our customers together with the security community.
We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web apps/mobile apps. Good luck, and happy hunting!

Program Rules

  • Please DO NOT complete signups/orders in the PRODUCTION environment (api.ostrom.de and join.ostrom.de domains plus signups through our mobile app are OUT of scope)
  • Please DO NOT create test reviews in our Trustpilot or Google review accounts.
  • Please DO NOT test our customer live chat.
  • Please provide detailed reports with reproducible steps.
  • Social engineering (e.g. baiting, phishing, pretexting) is prohibited.
  • Always do an effort to avoid customer data privacy violations, data deletion, and any interruption of our servers.
  • Please only interact with your own account or with the explicit permission of the account holder.

Out of scope vulnerabilities

The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Any activity that could lead to the disruption of our service (DoS).


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.