Responsible disclosure policy

The safety and security of our systems and products is a matter of great concern to us and given absolute priority. Despite all the efforts invested in our technologies, vulnerabilities can still occur. We would appreciate being notified if vulnerabilities are discovered.

Ground rules

Please do not share information about a security issue with third parties until the issue is resolved.

Request for information about how and when the vulnerability or malfunction occurs.
Request for a clear description of how this problem can be reproduced and information about the procedure used and time of the investigation.

We request that knowledge about the security problem be treated responsibly. No action beyond that necessary to identify the security problem should be taken. Vulnerabilities should not be maliciously exploited and confidential data obtained as a result of the vulnerability in the system must not be stored.

If necessary, contact details (email address or phone number) can be left to enable us to make contact for evaluation and with regard to progress in eliminating the vulnerability. We also take anonymous reports seriously.

Our responsible disclosure policy is not an invitation to comprehensively and actively review our entire corporate network for vulnerabilities. We monitor our networks independently.
Disclosure of the issue, if any, may only be made in consultation with the Group.

Outside the scope of the policy

The gaps in security listed below are not required to be submitted under our responsible disclosure policy. Security gaps outside the scope of the policy:

  • physical attacks on data centres or property of the Group;
  • social engineering attacks targeting employees or customers (for example, spoofed login pages, customer service, social media);
  • circulation of spam;
  • denial-of-service attacks; 
  • missing HTTP security headers without any specific impact;
  • errors that can only be exploited by clickjacking;
  • self-XSS;
  • vulnerabilities that require improbable user interaction (for example, disabling browser protections);
  • disclosure of information marked as public;
  • attacks that require a man-in-the-middle.

What can be expected of us

If anyone opts to share contact information with us, we undertake to verify this information as transparently and quickly as possible.

We guarantee a response within five working days.

In the meantime, we will endeavour to provide information about progress made resolving the problem.

We treat all notifications confidentially and will not share personal information with third parties without consent, unless we are required to by law or court order.

We will jointly decide on whether and how the notified problem will be reported.

Disclosure of gaps in security

If you wish to disclose a possible security gap, please send information to the following address:

Thank you for helping us to provide our services and data with the best possible protection.