Responsible Disclosure

If you’ve discovered a potential security issue inour systems, we kindly ask you to report it safely and discreetly. By doing so,you help us protect our users, improve our services,and maintain trust across our platform. 

Please take a moment to review the following guidelines before submitting your findings:

How to report

• Email your findings to responsibledisclosure@aqqo.com
• Please encrypt your report using our PGP key to ensure that the information doesn’t fall into the wrong hands
• Use a clear subject line, for example: ‘Vulnerability report - [system/URL]’

Scope‍

This policy applies to systems andservices owned, operated, or controlled by Aqqo. 

In scope (examples): 

• Web applications and APIs hosted under: [list primary domains, e.g., aqqo.com, app.aqqo.com, api.aqqo.com] 
• Aqqo-controlled infrastructure supporting these services
• Official Aqqo mobile apps (if applicable): [iOS/Android app names or store links] 

Out of scope (examples): 

• Third-party services not controlled by Aqqo (e.g., external providers), unless the issue is demonstrably caused by Aqqo’s configuration
• Issues in systems where you do not have authorization to test 
• Physical attacks against offices, employees, or facilities 

If you are unsure whether a target is in scope, please contact us first at responsibledisclosure@aqqo.com.

Rules of engagement 

When researching and reporting a vulnerability, please:

• Do not exploit the vulnerability beyond what's necessary to demonstrate the impact. For example, do not download more data than needed, and do no access, delete, or modify third-party data.
• Respect privacy and confidentiality. Do not share details with others until the issue is resolved, and erase any confidential data obtained through the vulnerability as soon as it is no longer needed for validation.
• Avoid disruption. Do not use physical security attacks, social engineering, distributed denial of service (DDoS), spam, or any testing that harms availability or performance. 
• Act in good faith and stay within scope. Avoid repeated automated scanning, high-volume requests, or actions that could affect other users. 

What to include in your report 

To help us triage and fix the issue quickly, pleaseprovide: 

• The affected IP address / domain / URL
• A clear description of the vulnerability and its realistic impact 
• Steps to reproduce (including request/response examples where helpful) 
• Any proof-of-concept, screenshots, or logs (sanitized where possible) 
• Whether you believe personal data could be exposed or misused
• Your preferred contact details and whether you’d like public credit if the issue is disclosed 

Scope and severity 

We prioritize vulnerabilities that have a clear, realisticimpact on the confidentiality, integrity, or availability of data or accounts.Examples include authentication or authorization bypasses, injection issues,and direct data exposure. 

We may offer rewards, at our discretion, for valid reportsof previously unknown vulnerabilities with sufficient severity andimpact. 

The following categories are generallynot eligible for rewards (though we may still address them as hardening orbest-practice improvements): 

• Best-practice or defense-in-depth recommendations without a demonstrated attack scenario (e.g., additional security notifications, missing or non-optimal security headers without exploit).
• Self-XSS or issues that require the victim to modify their own browser/DevTools or run arbitrary code in their own console. 
• Issues that assume the user’s device, browser, or email account has already been compromised.

Rewards 

As a token of gratitude, we may offer discretionary rewards for valid reports of a previously unknown security issue. Rewards are determined based on severity, impact, and the quality of thereport, starting with a voucher worth €25. 

Rewards are generally not offered for: 

• Duplicate reports of previously known issues (whether previously reported externally or identified internally)
• Issues that are out of scope 
• Low-impact findings without a demonstrated attack scenario (see 'Scope and severity') 

We may not always be able to share details of our internal assessments or prior knowledge about specific issues.

When you submit a report: 

• We aim to acknowledge your report within 3 business days and, where possible, provide an initial assessment. For critical issues, we aim to respond sooner.
• For higher-severity issues, we will do our best to keep you informed about important milestones (for example, when a fix is deployed).
• If you have acted in good faith, within this policy, and without intentionally harming users or systems, we will not pursue legal action against you for your security research and report.
• We’ll handle your report with confidentiality and won’t share your personal details without your consent unless legally obligated. Reporting under a pseudonym is acceptable.
• We aim to address all issues as swiftly as possible.

Coordinated disclosure 

We support coordinated vulnerability disclosure. If you plan to publish details, please coordinate with us first. 

• We ask that you do not publicly disclose the vulnerability until we have resolved it or agreed on a disclosure timeline.
• For high-severity issues where public disclosure is appropriate, our typical disclosure window is around 90 days, but this may vary depending on severity, complexity, and user risk. We will communicate expected timelines during triage where relevant.
• Low-severity issues may be treated as regular bugs without any public disclosure.
• We appreciate being included in advance in any publication to ensure users remain protected.

Contact us at responsibledisclosure@aqqo.com if you have any questions regarding this policy.