Back to Home

Security

How we protect your WordPress sites and data.

Security Features

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256)

DDoS Protection

Cloudflare network shields against volumetric attacks

Isolated Resources

Each site runs in its own container with dedicated resources

Daily Backups

Automated backups with 30-day retention and one-click restore

Infrastructure Security

  • Servers located in EU data centers with physical security controls
  • Regular security patches and updates
  • Network-level firewalls and intrusion detection
  • No shared hosting. Each site is fully isolated

Application Security

  • Free SSL certificates for all domains (Let's Encrypt)
  • Web Application Firewall (WAF) rules for common attacks
  • Automatic WordPress core and plugin updates available
  • PHP version selection with latest security patches

Account Security

  • Passwords hashed with bcrypt
  • Secure session management with automatic expiration
  • Account activity logging

Data Protection

  • Automated daily backups stored in separate location
  • 30-day backup retention
  • One-click restore from any backup point
  • Export your data anytime via SFTP or dashboard

Incident Response

In the event of a security incident, we will notify affected users within 72 hours with details of the incident and recommended actions.

Security Research Challenge

Part bug bounty, part capture-the-flag

This isn't your typical bug bounty. We've built something for researchers who appreciate the craft. Real vulnerabilities earn real rewards. There's also an Easter egg for those who understand the history of authentication security. No scanners. No spray-and-pray. Just you, the API, and your knowledge.

Current Focus: Authentication

For now, this program focuses exclusively on authentication bypass and privilege escalation vulnerabilities. Other vulnerability types (XSS, CSRF, etc.) are currently out of scope. We plan to expand coverage as the platform matures.

Rewards

Critical Up to €500

Auth bypass, privilege escalation, account takeover

High Up to €250

Token hijacking, claim manipulation, session fixation

Medium Up to €100

Rate limit bypass, information disclosure

Low Recognition

Minor misconfigurations, low-impact findings

Scope

IN

api.ng-stage.com

Staging API

IN

app.ng-stage.com

Staging application

OUT

*.nettingale.com

Production (out of scope)

OUT

Third-party services

External dependencies

Rules of Engagement

  • Only test on staging. Never touch production
  • No DoS/DDoS testing
  • No social engineering or phishing attempts
  • No accessing other users' data beyond proof-of-concept
  • Report before public disclosure (90-day policy)
  • One account per researcher

Out of Scope

  • Intentional CTF challenges (check security.txt for details)
  • Missing security headers without a demonstrated exploit chain
  • Self-XSS or issues requiring unlikely user interaction
  • Clickjacking on pages without sensitive actions
  • Rate limiting on non-authentication endpoints
  • Vulnerabilities in third-party dependencies (report upstream)
  • Issues already reported or publicly known

If you can chain a missing header into an actual auth bypass, that's valid. Show us the impact.

How It Works

  • Submit reports through HackerOne only
  • We acknowledge reports within 48 hours and aim to validate within 7 days
  • Fixes are prioritized by severity. Critical issues are patched within 72 hours
  • Bounties are paid through HackerOne within 14 days of fix deployment
  • First valid report wins. Duplicates are closed as informative
  • Severity is determined at our discretion, but we discuss disagreements in good faith

Safe Harbor

Security research conducted in accordance with this policy is authorized. We will not pursue legal action against researchers acting in good faith.

Getting Started

HackerOne

Private Program

Our bug bounty program is private on HackerOne. To request an invitation, email moc.elagnitten@ytiruces with your HackerOne username and areas of interest. We review requests weekly and prioritize researchers with authentication security experience.

Invitations are required to participate. We do not accept reports outside of HackerOne.