Free shipping Rated 9+ 14-day cooling-off period

SKIKK Responsible Disclosure Program

Overview

At SKIKK, the security of our systems and the protection of our customers’ data are top priorities.
Despite our best efforts, vulnerabilities may still exist. We therefore welcome responsible security research and provide this Responsible Disclosure Program to enable researchers to report security issues safely and ethically.

This program is intended for good-faith security research only.

Scope

In-scope domains

  • www.skikk.eu

Only systems owned and operated by SKIKK are in scope. Third-party services, integrations, and external providers are out of scope, unless explicitly stated otherwise.

 

In-scope vulnerability categories

We are primarily interested in vulnerabilities that may impact the confidentiality, integrity, or availability of our systems or customer data, including but not limited to:

  • Sensitive Data Exposure

  • Authentication & Session Management issues

  • Insecure Direct Object References (IDOR)

  • Injection vulnerabilities (SQL, command, etc.)

  • Cross-Site Scripting (XSS) – stored or reflected

  • Remote Code Execution (RCE)

  • Security misconfiguration

  • Broken access control

  • Directory / path traversal

  • Exposure of credentials or secrets

 

Out-of-scope findings

The following are not eligible for rewards and may be closed without further review:

  • Social engineering, phishing, vishing, or impersonation

  • Denial-of-Service (DoS / DDoS) testing

  • Brute-force attacks or account enumeration

  • Automated scanner output without manual validation

  • Weak password policy suggestions

  • Missing HTTP headers without demonstrated risk

  • Cookie flags on non-sensitive cookies

  • Clickjacking or CSRF on non-sensitive pages

  • Email SPF / DKIM / DMARC configuration issues

  • Open redirects without security impact

  • Self-exploitation or theoretical issues only

  • Issues requiring unrealistic user interaction

  • Vulnerabilities already known to SKIKK

  • Reports based on leaked, stolen, or compromised credentials

 

Rules of engagement

When testing, you must:

  1. Test only on accounts you own and control

  2. Avoid actions that degrade service availability

  3. Not access, modify, or delete data belonging to other users

  4. Not upload malware or malicious payloads

  5. Not exploit vulnerabilities beyond proof of concept

  6. Not perform physical security testing

  7. Not disclose vulnerabilities publicly before resolution

  8. Delete any sensitive data obtained during testing

Failure to follow these rules may result in disqualification from the program.

 

Reporting a vulnerability

Please submit reports via email to:

???? security@skikk.eu

Your report should include:

  • A clear description of the issue

  • Affected URL(s) or endpoint(s)

  • Steps to reproduce

  • Proof of concept where applicable

  • Impact assessment

Incomplete or unclear reports may be rejected.

 

Our commitment

If you follow this policy, we commit to:

  • Acknowledge receipt of your report

  • Review and validate reported issues

  • Keep you informed of progress where appropriate

  • Not pursue legal action for good-faith research

  • Handle your report confidentially

Resolution timelines may vary depending on severity and complexity.

 

Rewards & payouts

SKIKK operates a discretionary rewards program, not a guaranteed bug bounty.

 

Reward eligibility

Rewards may be granted after an issue is verified and resolved, based on:

  • Impact / Severity

  • Likelihood / Probability

  • Quality of the report

 

Reward matrix (indicative)

Likelihood \ Impact High Medium Low
High up to €1,000 up to €500 €0
Medium up to €500 €0 €0
Low €0 €0 €0

This matrix is indicative only. All rewards remain at SKIKK’s sole discretion.

Important notes

  • No rewards for duplicate or already-known issues

  • No rewards for multiple reports of the same issue

  • Rewards may be paid via bank transfer or equivalent

  • Researchers are responsible for tax obligations

  • Payouts may be restricted by applicable laws or sanctions

 

Identity verification

To be eligible for any reward, you must provide:

  • Verifiable personal information

  • Proof of identity (government-issued ID)

Anonymous or unverifiable submissions are not eligible for rewards.

 

Legal terms

By submitting a report, you confirm that:

  • You are the original author of the report

  • You grant SKIKK the right to use and act on the report

  • You will not disclose the vulnerability publicly without written consent

  • You will not use SKIKK’s name or brand for promotion

 

Final notes

This program may be modified or discontinued at any time without notice. Participation does not guarantee a reward.

Thank you for helping keep SKIKK and its customers secure.