Coordinated Vulnerability Disclosure (CVD) Policy

01 Purpose

This Coordinated Vulnerability Disclosure Policy defines the process for reporting, handling, and resolving security vulnerabilities affecting our systems, services, and website. It aligns with the requirements of the Cyber Resilience Act (CRA) and supports responsible disclosure practices.  

02 Scope

This policy applies to:

• All publicly accessible web applications and APIs
• Backend systems and infrastructure
• Mobile and desktop applications, if applicable
• Third-party integrations under our control

Out of scope:

• Social engineering attacks
• Physical security attacks
• Denial-of-service (DoS/DDoS) testing without prior approval

03 Reporting a Vulnerability

Security researchers and users are encouraged to report vulnerabilities responsibly.

Reporting channel:

• Email: Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein.
• Optional: Encrypted submissions via PGP-key

Required information:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Proof-of-concept, if available
• Contact details for follow-up

04 Coordinated Disclosure Process

We follow a structured disclosure process:

1. Acknowledgment
   • Reports are acknowledged within 3 working days.
2. Assessment
   • Initial triage and severity classification, for example using CVSS.
3. Remediation
   • Fix development and validation.
   • Priority is based on risk and impact.
4. Disclosure Coordination
   • We agree on a disclosure timeline with the reporter.
   • Default target: 90 days, unless critical severity requires faster action.
5. Public Disclosure
   • Vulnerabilities may be disclosed after remediation.

05 Safe Harbor

We commit to:

• Not pursuing legal action against researchers acting in good faith.
• Allowing testing within scope without prior authorization.
• Recognizing responsible disclosure efforts.

Researchers must:

• Avoid data exfiltration, privacy violations, or service disruption.
• Not exploit vulnerabilities beyond proof-of-concept.
• Keep findings confidential until disclosure is agreed.

06 Security Measures and Compliance (CRA Alignment)

In accordance with the Cyber Resilience Act, we:

• Maintain a vulnerability handling process throughout the product lifecycle.
• Ensure timely remediation of known vulnerabilities.
• Document and track security issues internally.
• Provide security updates where applicable.
• Monitor and manage third-party component risks.
• Report actively exploited vulnerabilities to relevant authorities if required.

07 Incident Handling and Reporting Obligations

If a vulnerability qualifies as a significant cybersecurity incident:

• We follow internal incident response procedures.
• We may notify authorities such as:
  • National cybersecurity agencies
  • Relevant EU bodies, for example ENISA
• Reporting timelines comply with CRA obligations, including a 24-hour early warning where applicable.

08 Communication

We ensure transparent communication:

• Status updates to reporters during remediation.
• Public advisories for significant vulnerabilities.
• Clear release notes for security fixes.

09 Policy Updates

This policy is reviewed regularly and updated to reflect:

• Regulatory changes.
• Industry best practices.
• Internal process improvements.

10 Contact

For all security-related matters, please contact: Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein.