Vulnerability Disclosure Policy
We welcome responsible security research. This policy explains how to report issues and what you can expect from us in return.
01 Scope
- IN SCOPE exosys.ch and all subdomains such as accounts.exosys.ch
- IN SCOPE Exosys-developed applications, softwares and public APIs
- OUT OF SCOPE Third-party services and infrastructure
- OUT OF SCOPE Social engineering or phishing of Exosys staff
- OUT OF SCOPE Denial of service attacks (DoS)
- OUT OF SCOPE Physical security
02 How to Report
Send your report to
secr3p0rt@exosys.chFor sensitive disclosures, encrypt using our PGP public key.
Please include in your report:
01
A clear description of the vulnerability
02
Step-by-step reproduction instructions or proof of exploitation
03
The potential impact and affected components
04
Any suggested remediation (optional but
appreciated)
03 What to Expect
Within 3 business
days
Acknowledgment of your report
Within 10 business
days
Assessment and status update
Upon resolution
Notification that the issue has been fixed
04 Our Commitments
We will not pursue legal action against researchers acting in good faith
We will keep your report confidential if requested
05 We Ask That You
Do not publicly disclose the issue. Give us reasonable time to fix it.
Do not copy or modify user data if not strictly necessary for proof of exploitability.
Do not intentionally disrupt our services or degrade user experience.