This website uses necessary cookies to ensure that our website is ideally usable. We do not use cookies that process personal data without your prior consent. Read our Cookie Policy

Vulnerability disclosure policies (VDPs)

book reader icon
1 Minute
facebook logo gray
linkedin logo gray
mail logo gray
Vulnerability disclosure policies (VDPs)

If you have found a vulnerability, please submit your findings to [email protected]

Depending on the vulnerability we will reward you with a bug bounty. Please read the following points what vulnerabilities are accepted, and which ones are out-of-scope.

Vulnerabilities accepted

Accepted, in-scope vulnerabilities include, but are not limited to:

  • Broken Authentication and Session Management
  • Injection vulnerabilities
  • Cross Site Scripting (XSS) - Note: any report based on JavaScript being inserted on a landing page will not be fixed nor rewarded.
  •  Remote Code Execution
  • Insecure Direct Object Reference
  • Sensitive Data Exposure
  • Security Misconfiguration
  • Missing Function Level Access Control
  • Using Components with Known Vulnerabilities
  • Directory/Path transversal
  • Exposed credentials
  • Out of scope vulnerabilities


Certain vulnerabilities are considered out-of-scope for the Responsible Disclosure Program. Those out-of-scope vulnerabilities include, but are not limited to:

  • Social Engineering attacks
  • Account enumeration using brute-force attacks
  • Weak password policies and password complexity requirements
  • Missing http security headers which do not lead to a vulnerability
  • Reports from automated tools or scans
  • CSP header vulnerabilities
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • Reports of SSL/TLS issues, best practices or insecure ciphers
  • Test versions of applications
  • Mail configuration issues including SPF, DKIM, DMARC settings
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or brute-force issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • Software version disclosure / Banner identification issues
  • Tab nabbing
  • Open redirects
  • Issues that require unlikely user interaction
  • Solutions affected by known CVEs published less than 30 days ago
Last update 10 months ago