Vulnerability Disclosure Policy

Scope

This policy applies to security vulnerabilities in:

Send vulnerability reports to:

PGP encryption is available on request.

Please include:

Acknowledgment within 3 business days
Status update within 10 business days, including an initial assessment
Coordinated disclosure — we will work with you on a disclosure timeline. We ask for a reasonable window (typically 90 days) to develop and deploy a fix before public disclosure.
Transparency — if we determine the report is valid, we will keep you informed of remediation progress

rebaze GmbH will not pursue legal action against individuals who:

Act in good faith to avoid privacy violations, data destruction, and service disruption
Only interact with accounts they own or with explicit permission of the account holder
Report vulnerabilities through the process described in this policy
Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue

We consider security research conducted in accordance with this policy to be authorized.

The following are not covered by this policy:

Social engineering (including phishing) of rebaze employees or contractors
Denial of service (DoS/DDoS) attacks
Physical attacks against rebaze offices or infrastructure
Vulnerabilities in third-party services, libraries, or platforms we do not control
Automated scanning without prior coordination

We appreciate responsible disclosure. With your permission, we will credit you by name in any related security advisory.

This policy follows the recommendations of RFC 9116 and BSI TR-03183-3. Last updated: April 2026.