ECU Security Bug Bounty Program
We value the work of security researchers.
If you have discovered a vulnerability in our systems, please report it responsibly using this form.
We will investigate every valid report and, where appropriate, offer a reward.
In scope
- ecu.eu and all subdomains
- ecu.de and all subdomains
- ecu-espana.es
- Our public-facing web applications and APIs
Out of scope
- Third-party software we use but do not control
- Denial-of-service attacks
- Social engineering / phishing
- Physical security
- Reports already publicly known (CVE-listed)
Rewards
Rewards depend on severity and impact. Examples of past payouts:
| Severity | Typical reward |
|---|---|
| Critical (CVSS ≥ 9.0) | € 100 – 500 |
| High (CVSS 7.0–8.9) | € 50 – 200 |
| Medium (CVSS 4.0–6.9) | € 15 – 50 |
| Low (CVSS < 4.0) | Acknowledgement / discretionary |
Rewards are paid via PayPal or bank transfer. We require a simple invoice for our accounting (German tax law).
How it works
- Submit your report using the form below.
- You receive a confirmation email with a private status link.
- Our security team reviews your report within 5 business days.
- We may ask follow-up questions via the status page.
- Once triaged, we inform you of our decision and any reward.
- If a reward is offered, we ask for invoice details — no data is retained after payment.