Vulnerability Disclosure Policy

1. Introduction

Our security is a top priority. We appreciate the work of security researchers and value the input of the community to help us maintain a high standard of security for our users.

2. No Bounty Policy

Please note: We do not offer monetary rewards or bug bounties for vulnerability disclosures. This is a voluntary Vulnerability Disclosure Program (VDP). We may, at our discretion, provide public acknowledgment or a "Hall of Fame" listing for high-quality, valid reports.

3. Safe Harbor

If you follow this policy and act in good faith, We will not initiate legal action against you. We consider your research "authorized" as long as you:

• Avoid data exfiltration beyond what is necessary to prove the vulnerability.
• Do not perform Denial of Service (DoS) or service-degrading tests.
• Do not access, modify, or destroy data that does not belong to you.
• Give us a reasonable amount of time to fix the issue before public disclosure (at least 90 days).

4. Reporting Guidelines

To report a vulnerability, please email postmaster@pchulpdienst.net with the following details:

• Description: A clear summary of the vulnerability.
• Impact: How this could affect our systems or users.
• Proof of Concept (PoC): Step-by-step instructions to reproduce the issue (screenshots or video are helpful).

5. Out-of-Scope Issues

The following findings are generally considered low-risk and are not eligible for acknowledgment:

• Missing security headers (e.g., HSTS, CSP) without a direct exploit.
• Rate limiting or brute-force reports.
• Email security records (SPF, DKIM, DMARC).
• Social engineering or phishing attacks against our employees.