Bug Bounty & Vulnerability Disclosure Policy

At Poppy Mobility, we consider the security of our systems and the data of our users to be of paramount importance. We welcome the security community's help in identifying potential vulnerabilities and offer compensation for impactful findings.

This policy outlines our rules of engagement, reward structure, and what we expect from you.

1. Safe Harbor

If you conduct your security research and vulnerability disclosure in good faith and in compliance with this policy, we will consider your actions authorized. We will not initiate legal action or law enforcement investigations against you related to your research.

2. Guidelines and “Do No Harm”

We require that all researchers strictly adhere to the following guidelines:

• Avoid disruption: Do not disrupt our services or perform Denial of Service (DoS/DDoS) attacks.
• Protect data: If you encounter user data, stop immediately. Do not view, alter, save, store, transfer, or otherwise access data that does not belong to you.
• No social engineering: Do not attempt phishing, spamming, or social engineering against our employees, contractors, or customers.
• No physical testing: Physical attacks against our offices, vehicles, data centers, or employees are strictly forbidden.

3. Quality of Reporting (Anti-Spam Policy)

We do not accept raw output from automated scanners or AI-generated reports of theoretical vulnerabilities.

To ensure your report is reviewed and eligible for a bounty, your submission must include:

• A clear Proof of Concept (PoC): Step-by-step instructions allowing us to manually reproduce the vulnerability.
• Demonstrated Impact: A brief explanation of the practical business or security impact.
• Safe Exploitation: Demonstrate the flaw safely (e.g., using a harmless payload like triggering a simple alert box, or accessing a safe test file).

Reports lacking a manual Proof of Concept or consisting solely of automated scanner output will be closed and are not eligible for compensation.

4. Scope

In Scope

• *.poppy.be
• *.poppy.red
• Mobile App
• Any other specific apps, APIs, or infrastructure

Out of Scope

• Third-party services or vendors we use (e.g., our hosting provider or CRM).
• Clickjacking on pages with no sensitive actions.
• Missing security headers that do not lead directly to a vulnerability.
• Best-practice configurations without a demonstrable exploit.

5. Bounties and Rewards

We reward researchers based on the severity of the vulnerability, determined at our discretion using CVSS-based scoring principles and actual business impact.

Note: Duplicate reports are not eligible for a bounty. The first researcher to submit a valid, reproducible PoC will receive the reward.

6. How to Report and Validation Timelines

Please send your vulnerability reports to: security@poppy.be

Mandatory Encryption: You must encrypt the contents of your vulnerability report to protect sensitive information. Please use the following PGP public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGo1DqUBEADHhyg5ZMDlN3cOuJxQI4BJG+NFTnI86pN24AeUA3+hSmjVx8X9
A5JQdSAzKbeWa07oyMHGloyETLJ4gIfXjNuuLI3zyFfVJsgya1Ep6LghezwdRVow
cVwe9oXrWkbPgi9bsI97YKlPMJoCiHRkd6ZqssitAdkv4Mfnk9KDM0TpctmHmi7t
2HdFy2ltj8EoDoxRM7QY4QeV3fB9txG1bOgzGwZVJ32xaRiOltBfqZpvpdO9/h7V
/myoiNkII4jaVOlm9zM2ZdR2tT4yqGXGnJnlq6xCk8tjZ0LZCR6MsfayYpL4Xbkf
UYfhDSuyuLtDNfL8fD6r2ci+rNO4iwQ7H9qM/HTL6VoymDOzBjjOu9zkGGAtcAQb
3VrFuK2gcEeHDDOFFJiaAOQ2jMFuwZobXF0WNKSW7wPKYqlksCCM5GCrKBgvttMZ
Ox7heX/EIr/EA5VYKpQha2bQF2HhsNGzp/91BS+id0LdtoNteyCWzQJpaap7QhmT
+fGsnY1DU9HULwgyneUT/rVnYwCLckF1wdCtZf4InN9N3spEETSEm1cCcrAt81rP
pydq4RyzQkpiRv/6Lh2GhRUdXsbHvv01cG75HAyp5VdhRK4IKVSbIxrd/xV5Jq5p
9PYo3FNq2lDPmEF8/B97nobnjAGG6K86pA+CF3lBGFlr1io+bOvX5U1+oQARAQAB
tCJQb3BweSBTZWN1cml0eSA8c2VjdXJpdHlAcG9wcHkuYmU+iQJSBBMBCAA8FiEE
zwBmsvgfw+POziinQTuVLOQOei0FAmo1DqUDGy8EBQsJCAcCAiICBhUKCQgLAgQW
AgMBAh4HAheAAAoJEEE7lSzkDnothbkP/jeFM4ccBQSQA6opsoKvsVVjaPZxvrl6
tHRbHh3gT69+u+7BzWbnPL6it4/rYxi9hi7ar3WUy8V70XMa83twwljeP6zMGUAA
nPjMy1yPoGwClwcNZNXU/toZpZzlRdRlzCfeQx6sXt3Z3W11f5IY8fWU/ILBzvOG
xBsjP8QC7w4ljlr6HZBrxZFvrXtCRxBrJOthtITEhCd5P4dwh9NVW2I5mTlGICLu
g9dnMrqt+y0FqGcgOsrID7A0HTYxw0K+I5pKEBEFPbX5DfN179iz8MC1QI4Rv7qq
tF/lvidcvplYuwFgdCLf9C6LpoLehS2nAIjvcS8B5Dp6pE2TnexsejxWvocPsUS6
4ZW2f8FHW8T7vT3ukWmCgiU0HaxWtu5XCt+MxbbdMiPajQwFF+Q7+VZbwsGNZorw
d1Mb8hhFEr+Vci6dGmX5lguSt9zT31BCpgnunHxIZtUja/5Gydr3d63Aue7knyO5
PG+UgLP8B0jZ3GdrrrUJloASF66iyjS+wu3+w7xCvwqFewixFkCgbEeg4iCXMJm+
LtfZ/8nHlPMG/FaNVdVaO4oTjoID6+j2rxOG9hIEb7J0jp8QAUesLIhafBiq/5Py
9IaBy/9Oz6c7zbSCkLDwFi13BbsZQN+l/hnI/v5ZI8+7Czorx3vsYWCXaUCvTO+A
lKw0LC1lw54UuQINBGo1DqUBEACT2YaYrii0ISLCMu7wKoPHvlwPBLWVZ62Vg3uy
TV3FU+rhePJwIvKLvCQjM314vWF2mt+OfBvYVGpZpiTTnxEFueYLD15OULOOWiTt
VWz7ZqXgeldLNru+rmwDnwYZT3imjwVkDA+JFxWBGSg4CIIhhIfHwfDoFDnJp4eX
0L9ER+y54xIMuv4AUp48uc6+VmsnhNtE7KHzPldKa2hKcm6MY6ZK2fhybzJz7Yzx
BQlaHCDWg8zz+tT+PFsN3SkrAdy5iUEFssNLroC6O3f1YR6BnPC86SVyM4DCwf6n
S/geEmLGVsU2kUqoZiq1qCYyutZvI71hKpfBRe+w53RJ26sYSwXo39/9ZYeIO+dX
keemGiNDfOUP2IEw5hlSsCXGxG5+mANmRdKpPXUWT/WqaWzg3DjY11hsBYwwUW/M
vpmkwMeDiyiwAkTQQI0Ph+1NcY7xo7pl8MojjfPXliDNaI//Nuz3TMxyuuoIIkLx
CeEVXETgplz3A378S/cWXWwsx3tV6fEcwjTzWajCE4NTfuQwdFvM1zqQueiiUmzV
y223RLWneqA4gDDR4/ARtNEhBOIrm5ZqfUDrqMdYCeZGLOD1QzUpLOkBkEoWFYjt
QxVpMkSxAXbR1QcFaqkLYzvLhJ0ZNYDtX7//PlnIZ15Je3smbQ3pRRK2vpZroDUz
aXmgKQARAQABiQRsBBgBCAAgFiEEzwBmsvgfw+POziinQTuVLOQOei0FAmo1DqUC
Gy4CQAkQQTuVLOQOei3BdCAEGQEIAB0WIQS3ebs5pDD0vISedU+CCGV602OynwUC
ajUOpQAKCRCCCGV602Oyn3CFD/wNgm/Hepjc0nN6pDRBmNz+YgBHeB9fhfE37xm0
a5/caN689QOTfLgu/35qaO9XP4IiZRMX5DFMZ3d0aZ81Xo2ZMwN3YN0tGSAL5xGh
HHhIGfOpLvDAQ6HAkVVUbSonx7NcD6TH52VexJdicqWlfEHTksSWv7sUhoUo2l96
vEMQIfMkWGV3fXzyKzVU1AQS1JXqZccb7z4joV3LbTOdTOojJ+yRhkVqn7StN4Xk
4d6o2GMK7A3Vb8oTevB5PCIvYnHBrEUOC7J3/tYfj/BPIBUrkxaaRpIsRkc4TDgc
zY+KhwOQeQxrhxPiaiTSGJj7hfx7qtZ7o8XcqvDGcb536YNOWwjEwkRxWM02q7zC
DAm/FMpaYdd7ZAc1Wvs6fVevcHurUMwKSqbHCkdT5WBmokouhnt16R+lpPpn4YQX
KuxlX98OBD7hjBh4jvYOUBE2btTzx55XqHo59L/FZoIYbDgiGsjwRT9oTwHppPxt
qYUjbyVoBAKxP9JDsmrjB4tdLo5zW3A3SU28rYebQ0KtRw4h1/IB/R6cl0ou27pE
W+QYzrJgYYyj5z6q6d6nCFslAgwDTGh4lsL4/BwL4olJb9zUyA9CVND/xXSjNa0r
RJeW39oTjKQ4M3JvSKYDksoT60RNmXO09iJiX/6mrj4xPmpKL5I4X+d5hVlMfxhY
P+RT808/EACAcSE8/XiuOo4ItF+hst0QYYTB9kNh0lpMz44Ry4tdi94hoWYkt6PB
3VZF6bzovyn8l6ePJcUhyA5SgNYjo4H6+KtZDKjSRz0QiV9fmRGwXqjy/S0r2vsv
hVbq13fcUWFet1ZnUjYrrKWHqE+7CwZdCLK9fMbX1I75o1cpy5vuYvwcAJjB9Dax
9kubeExYZmqIsjx8MEqdow8X6Xhckmz53QpnhxeCB8iBI/iIzrrzdNzMl+xzbv6t
wFZLJ3RXOkIGcq3Zj9dE1aImQ8+w6933Mvz1hGQ8hBySt5jjtjijQ8leRrLY8cUP
CV+GHrCQCJJ+VsOoAhn9czI9c/Ua+XS711WovpG9M/TX5YmvgMQ+Xi+/zLuvf3BW
XIJeAQ92VWhlWzhHbiKKUlxs0uZT6GHhZ/5M/UT5dd8kDdwBh9grFPmP1KQqLT6L
4A2CWewM52knFzOJKCckWEujestO5qWSz2xIZAKMJFlT6/+USBiT5gS+fdYIFOdA
UlyD2FqoOcatFQEs4GavAEzjiX5EHaM5XByetFaG6Lr5Ezb+1k+5VKXbd33Uedl4
TWzQMZt7dVdGts6hg3CbZKIpo6Ck61voi2W4KqeGRN619cuL4e1QIrg43n7UakLx
aeYA4y7J2avFUbCoC7fs6Pnng+C4iB6UgYQCMTbXFyumsoAzCiv7Ig==
=qUx1
-----END PGP PUBLIC KEY BLOCK-----

Once your submission has been received and verified to include a valid PoC, we will validate the vulnerability according to the following timelines:

We ask that you maintain strict confidentiality and do not disclose the vulnerability publicly until we have deployed a fix and given explicit permission.