Vulnerability Disclosure Policy

Status: 06.04.2022

Credi2 GmbH, hereinafter referred to as “Credi2”, is committed to ensuring the safety and security of our partners as well as their customers. Toward this end, we as Credi2 are now formalizing our policy for accepting vulnerability reports in our products. We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all our partners and their customers.

We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

Initial Scope

Credi2’s Vulnerability Disclosure Program initially covers the Credi2 website (https://www.credi2.com) and all its subpages (hereafter referred to as Credi2’s “products”).

While Credi2 develops other products, we ask that all security researchers submit vulnerability reports only for the stated products. We intend to increase our scope as we build capacity and experience with this process.

Researchers who submit a vulnerability report to us will be given full credit on our website once the report has been accepted and validated by our IT security team, if so requested.

Legal Position

Credi2 GmbH will not take legal action against anyone who submits vulnerability reports through our Vulnerability Reporting Form and adheres to the given terms. We openly accept reports for the currently listed Credi2 products. We agree not to pursue legal action against anyone who:

Intentional exploitation of security vulnerabilities, disclosure of security-related information to third parties, and similar malicious acts are, of course, illegal and will be reported to the police.

How to Submit a Vulnerability

To submit a vulnerability report to Credi2’s Product Security Team, please click here.
To report a security vulnerability, please contact us and include the following information:

How we handle vulnerability disclosure

We will send you an automatic reply to let you know that we received your report, and we’ll contact you if we need more information.
Please note that we do not offer a bug bounty program. This means that we does not pay rewards for disclosed security vulnerabilities.
To protect our customers, we investigate all reported issues, but we do not confirm them publicly.