Coordinated Vulnerability Disclosure Policy

1. Purpose

This policy describes how potential security vulnerabilities can be reported to us and how we handle such reports.

2. Reporting Channels

Information about potential security vulnerabilities should be submitted through the reporting channels published on our security contact page.

3. Information We Ask You to Provide

• affected URL, component, product, or version
• a clear description of the issue
• steps to reproduce the observed behavior
• expected and actual behavior, where relevant
• potential impact
• optional contact information for follow-up and coordination

4. Expected Conduct During Testing and Reporting

• do not exploit a discovered issue beyond what is necessary to demonstrate its existence
• do not intentionally affect availability, integrity, or confidentiality
• do not access, modify, or delete third-party data unless strictly necessary
• do not disclose details publicly before coordination with us

5. Our Handling of Reports

• we review incoming reports
• we prioritize reports based on severity and potential impact
• we use provided contact details exclusively for follow-up and coordination
• we aim for an appropriate and traceable handling of incoming reports

6. Confidential Communication

Public OpenPGP keys for encrypted communication will be provided as part of the final setup and referenced via the contact page and security.txt.

7. Scope

This policy applies to our publicly reachable web presence and related digital services, unless stated otherwise.

8. Legal Notice

This policy does not constitute a general authorization for unrestricted testing, scanning, or intrusive activity. Please act responsibly and in coordination with us.