Please email your findings to .

Please provide enough information to reproduce the problem so we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may potentially require more information.

Do not share information about the security problem with others until it is resolved.

Handle knowledge about the security problem responsibly. Do not perform actions beyond what is necessary to demonstrate the security problem.

Do not perform actions that may destroy or alter data. Do not take advantage of the situation.

Leave your contact information so that we can contact you to work together to resolve the problem securely.

You will receive confirmation of your report from us within no more than 5 days. All reports we receive will be treated confidentially. In principle, we do not share your report with third parties, unless this is necessary to resolve the report or we are legally obliged to do so. In some cases, we may contact you again because we need more information to investigate the report. We will keep you informed of the progress and status of your report in the interim where reasonably possible.

In certain cases, we may provide a token of appreciation for a report you have filed with us. If this is the case, we will contact you.

At the time of reporting a vulnerability, we kindly ask you to consider the scenario and security impact. We consider the following types of vulnerabilities to be out of scope:

·        Clickjacking on pages with no sensitive actions and without a documented series of clicks that can exploit a sensitive functionality

·        CSRF for non-significant actions

·        CORS misconfigurations when the Credentials header is not set

·        Missing HTTP security Headers that do not directly lead to a vulnerability, such as:

o   Content-Security-Policy

o   Strict Transport Security

o   X-Content-Type-Options

o   X-XSS-Protection

o   X-Frame-Options (unless there is a well-defined risk)

o   X-Download-Options

o   X-XSS-Protection

·        Missing best practices in SSL/TLS configuration

·        Missing best practices in Content Security Policy

·        Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

·        Missing cookie flags on cookies that do not hold session or other sensitive information

·        Information Disclosure – default exposed config files with no sensitive data

·        Open redirect vulnerabilities that do not demonstrate additional security impact

·        Content spoofing and text injection issues without showing an attack vector or being able to modify HTML/CSS

·        Host header Injection with no demonstrable impact

·        Vulnerabilities reported shortly after their public release

·        Vulnerability reports from automated tools without validation

·        Denial of Service and Social Engineering attacks

·        Attacks requiring MITM or physical access to a user's device