Bug Bounty Program

Last Updated: July 29, 2025


At GroundControl, we prioritize the security of our products and the protection of our customers. We appreciate the efforts of the security community and welcome responsible disclosures that help protect our customers, products, and infrastructure.

🔍 Scope
Our Bug Bounty Program covers vulnerabilities across all assets referenced from our domain. However, testing must be limited to our production web application: https://na-app.gndctl.com

Please adhere to the following scope limitations:
- Avoid high-frequency automated scanning or fuzzing tools.
- Focus on manual inspection and probing techniques.

🚫 Out of Scope

The following are considered out of scope for this program:
- Vulnerabilities in third-party services not managed by Ground Control
- Social engineering attacks (e.g., phishing)
- Denial of service (DoS) attacks or stress testing
- Reports from automated tools or scanners without clear exploitability
- Physical attacks against Ground Control employees or assets

📣 Responsible Disclosure
We require that any vulnerabilities be reported directly to us via email at itsec@gndctl.com. The following guidelines should be followed:
- Provide detailed steps to reproduce the vulnerability.
- Do not exploit the vulnerability beyond the proof-of-concept needed to demonstrate it.
- Give us a reasonable amount of time to address the issue before disclosing it to others.

🎁 Rewards
Rewards are based on the severity and impact of the vulnerability reported. The final reward amount will be determined at our discretion, with a maximum reward of up to $500.

✅ Eligibility
To be eligible for a reward:
- The vulnerability must be previously unknown and not reported by another party.
- The report must include sufficient information to reproduce the vulnerability.
- You must comply with all applicable laws in connection with your testing and disclosure.

⚖️ Legal
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and follow the rules of our bug bounty program.

Conclusion
We appreciate the efforts of the security community in making our products safer. Thank you for helping us protect our customers and improve our services.For any questions or clarifications, feel free to reach out to us at itsec@gndctl.com.