Vulnerability Disclosure Policy (VDP)

Introduction 

Bug Bounty Switzerland acknowledges the valuable role of independent security researchers acting in good faith to help maintain the safety and security of our and our customers’ data and the reliability of our products and services. We therefore welcome responsible reporting of any vulnerabilities identified in digital assets owned, operated or maintained by us. 

This policy outlines the steps for reporting vulnerabilities to us. Please review the policy carefully before you test and/or report a vulnerability. We are committed to collaborate with security researchers to verify and address any potential vulnerabilities that will be reported. 

Scope 

Any public-facing digital asset owned, operated, or maintained by Bug Bounty Switzerland. 

Out of Scope 

Please note that we use services from other companies for some parts of our systems and infrastructure. Vulnerabilities discovered or suspected in those systems should be reported to the appropriate vendor or applicable authority.  

Our Commitment 

When working with us, according to this policy, you can expect us to: 

Our Expectations 

In participating in our vulnerability disclosure program, we ask you to: 

Bug Bounty Switzerland does not permit the following types of security research: 

While we encourage you to report to us any vulnerabilities you find, the following conduct however is prohibited: 

Coordinated Vulnerability Disclosure  (CVD)

We value the effort of external security researchers who identify security vulnerabilities and disclose those vulnerabilities responsibly so that they can be fixed. Our policy is to allow publication, provided the following conditions are met (Coordinated Vulnerability Disclosure):  

Official Channels 

Please report security issues via https://app.bugbounty.ch/public/engagement/details/de64822a-60a2-45be-96ba-cd24a48bca24, providing all relevant information. Do not submit reports from automated tools without verifying them. The more of the following details you provide, the easier it will be for us to triage and fix the issue: 

Please note that this channel is for reporting undisclosed security vulnerabilities only and must not be used for any other support or information requests. Inquiries sent there that do not relate to undisclosed security vulnerabilities will not receive any response.  

Legal Safe Harbor 

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before you continue your research. 

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.