Rules for Responsible Disclosure at Diconium

At Diconium, we take the security of our digital services and products very seriously. We are committed to the identification and remediation of security vulnerabilities, and welcome insights and reports from the community. With your help, we will take swift action to address the identified vulnerabilities. This document describes how we work together with the security community.

Scope

In scope are all IT systems and digital products of Diconium, including web applications, and related services.

Please note that the IT systems of our customers are excluded from this scope. Reports can be submitted for any design or implementation issues at Diconium that are reproducible and have a security impact.

Common examples include:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Insecure Direct Object Reference (IDOR)
  • Remote Code Execution (RCE)
  • Injection Flaws
  • Information Leakage and Improper Error Handling
  • Unauthorized Access to Properties or Accounts
  • Data or Information Leaks
  • Potential for Data Exfiltration
  • Actively Exploitable Backdoors
  • Possibility of Unauthorized System Use

Vulnerabilities Out of Scope

The following vulnerabilities and IT security problems do not fall within the scope. Please do not report them to us:

  • Attacks that require physical access to a user’s device or network.
  • Non-compliance with best practices, such as certificate pinning and/or missing security headers, that do not directly result in an exploitable vulnerability.
  • Forms lacking CSRF tokens, unless the criticality exceeds a Common Vulnerability Scoring System (CVSS v3) level of 5.
  • Use of libraries known to be vulnerable or publicly acknowledged as compromised, without active evidence of exploitability.
  • Reports generated by automated tools or scans that lack accompanying explanatory documentation.
  • Social engineering attacks, including phishing, vishing, and CEO fraud.
  • Denial of Service (DoS/DDoS) attacks.

 

Bug Bounty Program

There is currently no official bug bounty program at Diconium.

 

Procedure

Please read this document fully prior to reporting any vulnerabilities to ensure that you understand the rules and can act in compliance with them.

Send your findings to security@diconium.com. To protect the confidentiality of this sensitive information, please encrypt your message using our public PGP key available at https://diconium.com/.well-known/security.txt. We will promptly provide you with initial feedback on the next steps.

  • Reports should be submitted in either English or German.
  • Who is affected by the threat? Whenever possible, include the affected URLs.
  • How can the vulnerability be exploited? It may be helpful to include screenshots to illustrate the vulnerability.
  • All the relevant details including the steps required to reproduce the issue. Note: Do not include sensitive data, such as passwords, in your description.

Please obey the following points:

  • Do not perform large-scale automated vulnerability scans using tools such as Nessus.
  • Do not actively exploit the vulnerability for malicious purposes.
  • Do not disclose information about the vulnerability to any third party or entity without explicit authorization from us.
  • Do not compromise the privacy or safety of our employees or customers.
  • Do not violate any criminal law.
  • Do not conduct attacks on our IT systems that compromise, alter, or manipulate infrastructure or individuals, including social engineering attacks.
  • Engage only in activities within the scope of this document. In particular, do not conduct attacks that fall outside this scope, and avoid actions that could harm yourself or others or create potentially dangerous situations, such as manipulating control systems. Ensure that user experience is not compromised and that system disruptions are avoided.
  • In addition to the date of discovery, please provide enough information for us to effectively reproduce and analyze the problem.
  • Include a contact method for any follow-up inquiries.

Our Principles

  • We are committed to addressing vulnerabilities as quickly as possible and you will receive timely feedback upon receipt of your report.
  • If you follow the rules in this document, we will not report your findings to law enforcement. This provision does not apply in cases where there is clear evidence of malicious intent.
  • If you follow the rules in this document, we will keep your report confidential and will not disclose your personal information to any third party without your explicit consent.
  • We will provide updates on the validity of the identified vulnerability or IT security issue and the progress of its resolution throughout the resolution period.
  • We will contact you once the finding is remediated and might ask you to retest it.