Responsible Disclosure

Responsible Disclosure

Information Security and Data Protection are key priorities for the x-tention group. Both are essential in order to protect the data of our customers from unauthorized access and manipulation in the best possible way. Despite major investments in security and regular reviews of our standards, it cannot be entirely ruled out that vulnerabilities may emerge.

We therefore ask everyone who may discover a security-relevant issue or vulnerability in any of our systems, networks, software or services to notify us immediately. This will help us to initiate appropriate countermeasures promptly and remediate vulnerabilities in a timely manner.

We kindly ask you to:

  • Send us your discovery as soon as possible to vulnerability@x-tention.at. In case you prefer to transmit the information in encrypted form, please contact us in advance at the mentioned e-mail address. We will then inform you about the next steps.
  • Provide us with sufficient information to reproduce the problem and rectify it without undue delay. Usually the IP address or the URL of the affected system with a description of the vulnerability respectively attack should be sufficient. In case of more complex issues we may ask you for further information.
  • Do not exploit any vulnerability for accessing, manipulating, or deleting data!
  • In case you downloaded confidential information accidentally, delete it immediately!
  • Do not disclose the vulnerability to any third party until it has been resolved!
  • Do not harm the physical security of our premises and systems. Refrain from carrying out any social engineering or (Distributed) Denial of Service attacks ((D)DoS attacks).

We assure you:

  • We take all reports seriously. We will investigate any potential vulnerabilities and fix identified issues as soon as possible!
  • We will reply to your report within 48 hours and keep you regularly informed about our progress on resolving the issue.
  • Provided that you comply with the instructions above, no legal action will be taken against you.
  • Your report is treated confidential and we will not share any personal information with third parties.
  • We will inform affected stakeholders about the vulnerability without undue delay.
  • If you explicitly request it, your name will be mentioned as discoverer of the vulnerability in public communication.

This Responsible Disclosure Policy is based on Responsible Disclosure Guideline des National Cyber Security Centre, written by Floor Terra.