Skip to main content
Concourse

Concourse Tech Inc. — Bug Bounty & Coordinated Vulnerability Disclosure Policy

Effective date: November 13, 2025 • Version: 1.0
Contact: security@concoursetech.com (recommended) or sales@concoursetech.com (interim)

Concourse Tech Inc. (“Concourse”, Legal Name: Concourse Tech Inc., UEI: R1XGH5JT24M1, CAGE: 09E17, FEIN: 92‑0732705) welcomes security research that helps us keep our products and customers safe. We operate exclusively in the U.S. public sector and take special care to avoid impact to government systems and data.

This policy describes what’s in scope, how to report, how we triage, reward guidelines, and legal safe harbor for good‑faith research.

1) Philosophy

  • Do no harm. Protect people, agencies, students, and data first.
  • Fix fast, disclose responsibly. Work with us under coordinated timelines.
  • Reward impact. We pay bounties for unique, high‑quality findings that create real risk reduction.

2) Scope

In scope

Security testing of internet‑accessible, Concourse‑owned assets:

  • concoursetech.com and all subdomains (e.g., *.concoursetech.com).
  • Concourse‑hosted production applications and APIs that we own and operate.
  • Open‑source code repositories under Concourse’s official organizations if exploitation affects our deployed services.

We will maintain up‑to‑date scope in our /.well-known/security.txt. If an asset is not clearly ours, assume out of scope and ask before testing.

Out of scope (strict)

  • Customer/government environments (e.g., networks, tenants, or instances operated by public‑sector clients).
  • Third‑party platforms and marketplaces (e.g., AWS, Azure, payment providers) unless the impact is demonstrated against our assets.
  • Social engineering, phishing, or physical attacks against Concourse employees, customers, or vendors.
  • Denial of service, volumetric or resource‑exhaustion testing, or spam.
  • Use of stolen credentials, leaked databases, or brute‑forcing (including credential stuffing).
  • Attacks that modify, destroy, or exfiltrate real customer or personal data.
  • Automated scanning that disregards rate limits or materially degrades service.

3) Eligibility

To be eligible for bounty and safe harbor, you must:

  • Act in good faith, follow this policy, and stop immediately if you encounter sensitive data.
  • Be at least 18 and not subject to U.S. sanctions or export restrictions.
  • Not be a current Concourse employee/contractor (or within 6 months of separation).
  • Not reside in, or be a national of, embargoed/sanctioned regions.
  • Be the first reporter of a unique, in‑scope issue with a clear, reproducible report.

4) Safe Harbor (Good‑Faith Research)

If you follow this policy:

  • Concourse authorizes your testing of in‑scope assets and will not pursue civil action or refer to law enforcement for accidental, good‑faith security research.
  • We will not enforce DMCA/CFAA claims based solely on your research activity aligned to this policy.
  • If legal third‑party claims arise, we’ll confirm your activity as authorized under this policy (to the extent we can).

Important: This safe harbor does not apply to testing of customer or government systems, out‑of‑scope assets, or activity that risks harm.

5) Rules of Engagement

  • Use test accounts you own. Do not access non‑public data that isn’t yours.
  • Data handling: If you unintentionally access sensitive data, stop immediately, do not save, process, or transmit it further, and report to us. Purge all copies after submission.
  • Proof‑of‑concept:
    • Aim for the minimum steps to show impact.
    • For data‑access issues, retrieve at most one non‑sensitive record or use synthetic data.
  • Traffic limits: Keep traffic low and respect headers/rate limits; absolutely no DoS or stress testing.
  • No persistence/backdoors. Do not maintain access beyond verifying impact.

6) What to Report (Examples)

Likely in scope (impactful):

  • Authentication/authorization bypass, IDOR/BOLA, broken access control.
  • Remote code execution, command injection, SQL/NoSQL injection, template injection.
  • Server‑side request forgery (SSRF) with meaningful impact.
  • Critical misconfigurations in our cloud that expose data or control planes.
  • Stored or reflected XSS that leads to session compromise or sensitive actions.
  • High‑impact CSRF, clickjacking on sensitive actions, business‑logic flaws.
  • Credential exposure in our repositories with exploitable impact to production.

Generally out of scope (no/low impact):

  • Informational findings without exploitability (e.g., version banners).
  • Missing X- headers, CSP, or SSL/TLS best‑practice deviations without concrete exploitation.
  • SPF softfail, DMARC p=none, lack of DNSSEC.
  • Open redirects without meaningful impact.
  • Rate‑limit findings that don’t yield account/data compromise.
  • Vulnerabilities in dependencies with no impact to our deployed services.

7) How to Report

Email: security@concoursetech.com (PGP available via /.well-known/security.txt).

If that address is not yet live, use sales@concoursetech.com.

Include:

  • Summary and affected asset/endpoint.
  • Step‑by‑step reproduction and clear impact.
  • Evidence (screenshots, minimal PoC, logs).
  • Suggested remediation (if known).
  • Your name/handle for acknowledgment and payment details.

We acknowledge receipt within 3 business days and provide triage updates at least every 10 business days until resolution.

8) Coordinated Disclosure Timeline

  • Embargo: Please do not publicly disclose details until we confirm remediation or 90 days have passed from acknowledgement, whichever is earlier.
  • We will request extensions for complex fixes; you are free to grant or deny, but please coordinate with us.

9) Bounty Rewards (USD guidelines)

Bounties depend on severity, exploitability, and report quality, and we will set these at our discretion.