Vulnerability Disclosure Policy

Credi2 GmbH, hereinafter referred to as “Credi2”, is committed to ensuring the safety
and security of our partners as well as their customers. Toward this end, we as
Credi2 are now formalizing our policy for accepting vulnerability reports in our
products. We hope to foster an open partnership with the security community, and we
recognize that the work the community does is important in continuing to ensure
safety and security for all our partners and their customers.

We have developed this policy to both reflect our corporate values and to uphold our
legal responsibility to good-faith security researchers that are providing us with their

Initial Scope

Credi2’s Vulnerability Disclosure Program initially covers the Credi2 website
(https://www.credi2.com) and all its subpages (hereafter referred to as Credi2’s

While Credi2 develops other products, we ask that all security researchers submit
vulnerability reports only for the stated products. We intend to increase our scope as
we build capacity and experience with this process.

Researchers who submit a vulnerability report to us will be given full credit on our
website once the report has been accepted and validated by our IT security team, if
so requested.

Legal Position

Credi2 GmbH will not take legal action against anyone who submits vulnerability
reports through our Vulnerability Reporting Form and adheres to the given terms. We
openly accept reports for the currently listed Credi2 products. We agree not to pursue
legal action against anyone who:

  • Test systems without harming Credi2 or its partners. Explicitly excluded are e.g. brute force, DDOS and similar attacks that may lead to an interruption or impairment of our services or that may lead to a destruction of data.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing against products outside of the ones named in the previous section “Initial Scope”.
  • Test on products without affecting partners, or receive permission/consent from partners before engaging in vulnerability testing against their devices/software, etc.
  • Comply with applicable laws and regulations when doing so.
  • You do not exploit a security issue you discover for any reason.
  • You do not publish vulnerabilities.

Intentional exploitation of security vulnerabilities, disclosure of security-related information to third parties, and similar malicious acts are, of course, illegal and will be reported to the police.

How to Submit a Vulnerability

To submit a vulnerability report to Credi2’s Product Security Team, please click e-mail vulnerability.report@credi2.com.

To report a security vulnerability, please contact us and include the following

  • A URL or an IP address, where you found the issue. When did you find it.
  • A description of the issue, including what you saw and what you expected to see.
  • A list of steps to reproduce the issue, or a video demonstration if it’s a complicated
  • issue.

How we handle vulnerability disclosure

We will send you an automatic reply to let you know that we received your report, and
we’ll contact you if we need more information.

Please note that we do not offer a bug bounty program. This means that we does not
pay rewards for disclosed security vulnerabilities.

To protect our customers, we investigate all reported issues, but we do not confirm
them publicly.