Bug Bounty

How to Report a Vulnerability

We’ve partnered with Intigriti, a trusted bug bounty platform, to handle all responsible disclosure submissions. Our program is private, so you’ll need to be invited before you can submit a report.

To request access:

• Email us your Intigriti username at security@nl.team.blue.

Once invited, you’ll be able to access our Intigriti program, where you’ll find:

• A detailed list of in-scope and out-of-scope systems.
• Rules of engagement for security testing.
• Submission guidelines.
• Potential rewards for eligible findings.

What's in the Scope?

You can find the current scope and testing guidelines directly on our Intigriti page.

What We Expect

We ask all researchers to follow these basic rules:

• Do not exploit vulnerabilities beyond what is necessary for proof-of-concept.
• Avoid impacting user data or privacy.
• No social engineering or physical testing.
• Keep your findings confidential until we’ve had a chance to fix the issue.

If you play by the rules, we commit to:

• Reviewing your report promptly.
• Keeping you informed about progress.
• Rewarding you when appropriate.
• Never taking legal action against responsible researchers.

Why Intigriti?

Using Intigriti benefits both sides:

• A secure and trusted platform for disclosure of vulnerabilities.
• Structured communication and feedback.
• Bounty rewards for accepted reports and easy payout.
• Optional anonymity for researchers.

By centralizing our vulnerability handling with Intigriti, we ensure a smooth, fair, and secure process for everyone involved.