Bug Bounty

Scope

• orenexus.com and *.orenexus.com
• OreNexus web application and authenticated APIs
• Mobile applications published by RenewEarth SL

Out of scope

• Denial-of-service attacks and volumetric testing
• Social engineering of staff or customers
• Physical attacks against our offices or infrastructure
• Issues in third-party services not operated by us
• Findings only reproducible on outdated browsers or unsupported platforms

Rules of engagement

• Do not access, modify or destroy data that does not belong to you.
• Use test accounts wherever possible.
• Give us a reasonable time to remediate before public disclosure.
• Comply with all applicable laws.

Rewards

Rewards are awarded at our discretion based on impact, exploitability and report quality. Critical issues may qualify for higher payouts. We also offer recognition in our security hall of fame for valid reports.

How to report

Send your report — including reproduction steps, impact and any proof-of-concept — to security@orenexus.com. Encrypted submissions are welcome on request.

Safe harbor

We will not pursue legal action against researchers who act in good faith and follow this policy.