Vulnerability Disclosure Policy

This policy is for security researchers and any individual who believes to be aware of a security issue within easyVerein

We value your contribution!

No technology and no human is perfect and we believe that working with security experts is crucial in identifying security issues and weaknesses in software and services. If you believe you've found a security issue in easyVerein or its close-coupled components and services, we would like to encourage you to notify us immediately!

We welcome working with you to resolve the issue promptly to ensure the highest security level for anyone involved.

For the purpose of intended security researches we run a dedicated easyVerein instance on the following domain. We ask you to refrain from using our live system for research purposes and use our testing environment "Morris" instead. Morris has no access to any productive data but there are various test accounts (e.g. accounts for Alice and Bob) preconfigured.

Access the instance:

Disclosure Policy

When you search for or found security issues please follow the following guidelines to ensure a fast resolution

  • Let us know as soon as possible upon discovery of a potential security issue or major weakness, and we'll make every effort to quickly resolve the issue.
  • Send us a detailed report that contains steps to reproduce or a proof of concept and the possible / estimated impact.
  • Provide us a reasonable amount of time to resolve the reported issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Only interact with accounts you own or with explicit permission of the account holder.

    • On our test environment "Morris" you may also interact with Alice and Bobs account

Scope of this policy

While researching, we to ask you to refrain from the following methods or targets

  • Denial of service (DDOS) attacks against live services
  • Spamming or Phishing users or employees
  • Using automated testing tools
  • Social engineering of our staff or contractors
  • Any physical attempts against properties or data centers
  • External services, integrations or functionality that includes any third-party

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping us keep our users safe!

Please use the following form to submit your findings to us

Your email address:

Please describe your finding:

Secure upload file:

Please enter the verification code below, wich we have send to your email, to verify the authenticity of the email