Verantwortungsvolle Offenlegung

If you’ve discovered a potential security issue inour systems, we kindly ask you to report it safely and discreetly. By doing so,you help us protect our users, improve our services,and maintain trust across our platform. 

Please take a moment to review the following guidelines before submitting your findings:

How to report

• Email your findings to responsibledisclosure@aqqo.com
• Please encrypt your report using our PGP key to ensure that the information doesn’t fall into the wrong hands
• Use a clear subject line, for example: ‘Vulnerability report - [system/URL]’

Scope‍

This policy applies to systems andservices owned, operated, or controlled by Aqqo. 

In scope (examples): 

• Web applications and APIs hosted under: [list primary domains, e.g., aqqo.com, app.aqqo.com, api.aqqo.com] 
• Aqqo-controlled infrastructure supporting these services
• Official Aqqo mobile apps (if applicable): [iOS/Android app names or store links] 

Out of scope (examples): 

• Third-party services not controlled by Aqqo (e.g., external providers), unless the issue is demonstrably caused by Aqqo’s configuration
• Issues in systems where you do not have authorization to test 
• Physical attacks against offices, employees, or facilities 

If you are unsure whether a target is in scope, please contact us first at responsibledisclosure@aqqo.com.

Rules of engagement 

When researching and reporting a vulnerability, please:

• Do not exploit the vulnerability beyond what's necessary to demonstrate the impact. For example, do not download more data than needed, and do no access, delete, or modify third-party data.
• Respect privacy and confidentiality. Do not share details with others until the issue is resolved, and erase any confidential data obtained through the vulnerability as soon as it is no longer needed for validation.
• Avoid disruption. Do not use physical security attacks, social engineering, distributed denial of service (DDoS), spam, or any testing that harms availability or performance. 
• Act in good faith and stay within scope. Avoid repeated automated scanning, high-volume requests, or actions that could affect other users. 

What to include in your report 

To help us triage and fix the issue quickly, pleaseprovide: 

• The affected IP address / domain / URL
• A clear description of the vulnerability and its realistic impact 
• Steps to reproduce (including request/response examples where helpful) 
• Any proof-of-concept, screenshots, or logs (sanitized where possible) 
• Whether you believe personal data could be exposed or misused
• Your preferred contact details and whether you’d like public credit if the issue is disclosed 

Scope and severity 

We prioritize vulnerabilities that have a clear, realisticimpact on the confidentiality, integrity, or availability of data or accounts.Examples include authentication or authorization bypasses, injection issues,and direct data exposure. 

We may offer rewards, at our discretion, for valid reportsof previously unknown vulnerabilities with sufficient severity andimpact. 

The following categories are generallynot eligible for rewards (though we may still address them as hardening orbest-practice improvements): 

• Best-practice or defense-in-depth recommendations without a demonstrated attack scenario (e.g., additional security notifications, missing or non-optimal security headers without exploit).
• Self-XSS or issues that require the victim to modify their own browser/DevTools or run arbitrary code in their own console. 
• Issues that assume the user’s device, browser, or email account has already been compromised.

Rewards 

As a token of gratitude, we may offer discretionary rewards for valid reports of a previously unknown security issue. Rewards are determined based on severity, impact, and the quality of thereport, starting with a voucher worth €25. 

Rewards are generally not offered for: 

• Duplicate reports of previously known issues (whether previously reported externally or identified internally)
• Issues that are out of scope 
• Low-impact findings without a demonstrated attack scenario (see 'Scope and severity') 

We may not always be able to share details of our internal assessments or prior knowledge about specific issues.

Kontaktiere uns unter responsibledisclosure@aqqo.com wenn Sie Fragen zu unserer Richtlinie haben.