Vulnerability Disclosure Program

Introduction

The security of our customers and our systems is our top priority. At creoline, we are constantly working to secure and improve our public and internal systems.

Should you discover a vulnerability, we would be pleased if you would report it to us responsibly. Your support will help us to maintain the security and integrity of our services.


Our promise

  • We will review and confirm submitted reports in a timely manner.
  • We will endeavor to correct weaknesses as quickly as possible.
  • We will treat your report confidentially and recognize your efforts.
  • We will not take legal action against anyone who reports vulnerabilities in accordance with this program.


What we expect

  • Give us enough time to analyze the reported vulnerability and take appropriate action.
  • Do not publish details of the vulnerability before we have fixed it ("Coordinated Disclosure").
  • Avoid activities that:
    • Allow access to third party data,
    • impair the availability of our services (e.g. through DDoS),
    • disrupt the operation of our systems.


Scope of application

Our program covers vulnerabilities that affect the security of the following systems:

  • creoline GmbH public websites and APIs
    • www.creoline.com
    • account.creoline.com
    • api.creoline.com
    • ip.creoline.com
    • secret.creoline.com
    • marketplace.creoline.com
    • dl.creoline.com
  • Customer portals and administration systems
  • Internal administrative systems (if accessible from the Internet)
  • Infrastructure and hosting services
  • SAML / OAuth2.0 authentication applications


Excluded from the program

Please note that the following items are excluded from the program:

  • Social engineering, phishing or physical attacks
  • Denial-of-service attacks (DoS, DDoS)
  • Vulnerabilities based on outdated browsers or plugins
  • Brute force attacks on passwords
  • External SaaS services
  • Third-party services
  • Customer servers and services


How to report a vulnerability

Please report vulnerabilities exclusively via our Responsible Disclosure Submission Form

Responsible Disclosure


The more detailed your report (including steps for reproduction, screenshots, proof-of-concept if applicable), the faster we can respond.


Recognition

We greatly appreciate your support and recognize contributions that improve our security as part of our program. By reporting vulnerabilities, you automatically apply for our private bug bounty program.

Similar articles
On this page
Emergency?
In urgent cases, our emergency hotline is available around the clock at +49 2507 900 80 - 34.