Vulnerability Disclosure Program

Introduction

The security of our customers and our systems is our top priority. At creoline, we are constantly working to secure and improve our public and internal systems.

Should you discover a vulnerability, we would be pleased if you would report it to us responsibly. Your support will help us to maintain the security and integrity of our services.



Our promise

  • We will review and confirm submitted reports in a timely manner.
  • We will endeavor to correct weaknesses as quickly as possible.
  • We will treat your report confidentially and recognize your efforts.
  • We will not take legal action against anyone who reports vulnerabilities in accordance with this program.



What we expect

  • Give us enough time to analyze the reported vulnerability and take appropriate action.
  • Do not publish details of the vulnerability before we have fixed it ("Coordinated Disclosure").
  • Avoid activities that:
    • Allow access to third party data,
    • impair the availability of our services (e.g. through DDoS),
    • disrupt the operation of our systems.



Scope of application

Our program covers vulnerabilities that affect the security of the following systems:

  • creoline GmbH public websites and APIs
    • www.creoline.com
    • account.creoline.com
    • api.creoline.com
    • ip.creoline.com
    • secret.creoline.com
  • Customer portals and administration systems
  • Internal administrative systems (if accessible from the Internet)
  • Infrastructure and hosting services
  • SAML / OAuth2.0 authentication applications



Excluded from the program

Please note that the following items are excluded from the program:

  • Social engineering, phishing or physical attacks
  • Denial-of-service attacks (DoS, DDoS)
  • Vulnerabilities based on outdated browsers or plugins
  • Brute force attacks on passwords
  • External SaaS services



Rewards (Bug Bounty)

To recognize your efforts, we offer financial rewards for qualified vulnerabilities.\nThe amount of the reward depends on the severity of the vulnerability, its exploitability and its potential impact.

Severity levels and rewards:

severity reward range
Low up to 100 €
Medium 100 € - 500 €
High €500 - €2,000
Critical 2,000 € - 5,000 €

We determine the exact amount of the reward based on the following criteria:

  • Technical exploitability
  • Impact on data protection and system security
  • Quality and completeness of the report

Requirements for a reward

  • The report must be complete and reproducible.
  • The vulnerability must be within the defined scope.
  • The vulnerability must not be publicly known or have already been discovered internally.

Payout

Rewards will be paid out via PayPal or SEPA bank transfer.\nPlease ensure that you provide a suitable payment method with your submission.

Note: Anonymous submissions are possible, but a payout can only be made if the required payment information is provided.



How to report a vulnerability

Please report vulnerabilities exclusively via our HackerOne page:

👉 Submit a report via HackerOne

The more detailed your report (including steps to reproduce, screenshots, proof-of-concept if applicable), the faster we can respond.



Recognition

We greatly appreciate your support and recognize contributions that improve our security as part of our recognition program. Details can be found on our HackerOne program page.