The reporter had found an open .git folder on one of our out of scope domains.
The issue was investigated and found to be valid. The source code was removed from the public server. The source code did not contain any business critical information and customer information was never at risk.
Most out of scope reports are closed as informative as they are not part of the bug bounty program but might provide good information (please see the policy for more information). As LocalTapiola does take security seriously, there are cases where actions are warranted also on out of scope reports. In this specific case, as actions were taken to fix the issue, there was a decision to award the reporter with swag and do a limited public disclosure.