Gorilla welcomes and appreciates contributions from the security research community. Our Vulnerability Reward Program is designed to recognize individuals who help us identify and resolve security issues in a responsible and constructive way.
We believe in transparency, responsiveness, and rewarding good faith efforts that improve the security of our platform and the privacy of our users.
All aspects of Gorilla’s infrastructure, application, and platform are considered in scope — unless explicitly excluded in a future revision. This includes:
We do not disqualify any vulnerability categories by default. If you're unsure whether something is in scope, report it anyway.
Gorilla offers monetary rewards based on the severity, impact, and quality of the report. While the table below provides general guidance, final reward amounts are determined solely by Gorilla’s CISO, based on the true net impact of the reported issue.
We take into account a variety of factors when assessing the impact:
| Severity | Typical Reward (EUR) |
|---|---|
| Critical | €5,000 – €10,000 |
| High | €1,000 – €5,000 |
| Medium | €250 – €1,000 |
| Low / Informational | €50 – €250 |
Duplicate reports will not be rewarded. Gorilla does not publish accepted reports in order to preserve the security of the platform. We are open to good-faith discussion, but all reward decisions remain at the sole discretion of Gorilla’s CISO. We may issue lower or symbolic rewards for well-documented edge cases, hardening suggestions, or low-risk findings.