Security Center
Found something? We pay you for reporting it responsibly.
Cernet runs a coordinated-disclosure policy and a bug bounty programme. Below is how to report safely and what the reward structure looks like.
- 30-day money-back guarantee
- 99.9% uptime SLA
- Free site migration
- 24/7 expert support
Bounty tiers
Critical
$5,000.00+
RCE, auth bypass, mass data exposure
High
$1,500.00+
Privilege escalation, stored XSS, SSRF
Medium
$400.00+
CSRF, IDOR, reflected XSS
Low
$100.00+
Info disclosure, security headers
How to report
- Send details to [email protected] or via security.txt
- Encrypt sensitive reports with our PGP key (
0xCAFEBABE…) - Describe the impact, repro steps, and proof-of-concept (if applicable)
- Give us 90 days to fix before disclosure
What's in scope
cernet.hosten alle subdomeinenapi.cernet.host- Het control panel (
cp.cernet.host) - Mailservers en webmail (
webmail.cernet.host)
What is NOT in scope
- Phishing or social engineering against our staff
- DoS / DDoS testing (request permission first)
- Customer sites running on our hosting (report to the customer)
- Automated scanner output without validation
- Best practices without an actual exploit (CSP, HSTS suggestions)
Our promise
- Acknowledgement within 24 hours
- Triage and initial assessment within 5 business days
- Full updates until the fix is live
- Hall-of-fame credit (optional)
- No legal action against good-faith researchers
Hall of fame
Recently thanked: Markus W., Anouk B., @h4ck3rzero, Pieter J., @sec-research-nl.