Bug bounty
Responsible disclosure, with safe-harbour rules.
Security researchers can report vulnerabilities under clear scope, safe-harbour, response targets and reward bands. The programme is private-beta while the platform is pre-production.
Private beta scope
Good-faith testing within scope, without privacy harm, persistence, extortion, social engineering or disruption, will not be treated as unauthorised access by Thesmios.
In scope
demo.thesmios.com public demo surfaces
thesmios.com marketing and API routes
Credential verification, wallet export and presentation endpoints
Authentication, share-token and access-control boundaries
Out of scope
Denial-of-service or load testing
Physical attacks
Social engineering
Scanner-only reports without exploitability
Reports requiring access to another user's real personal data
Reward bands
Critical
GBP 1,500-5,000
Cross-tenant data access, Credential signing key compromise
High
GBP 500-1,500
Authentication bypass, Privilege escalation
Medium
GBP 100-500
Stored XSS in authenticated workspace, Sensitive metadata exposure
Low
Recognition
Low-impact misconfiguration, Security header gap