Responsible disclosure policy

We therefore ask you to:

• Email your findings to security@centric.eu. Please encrypt your findings using our PGP key to prevent the information from falling into the wrong hands.
• Not exploit the issue by, for example, downloading or accessing more data than necessary to demonstrate the vulnerability, or by deleting or modifying data belonging to third parties.
• Not share the problem with others and to delete any confidential data obtained through the vulnerability immediately after it has been resolved.
• Not use attacks involving physical security, social engineering, distributed denial of service, spam, or third‑party applications.
• Provide sufficient information to reproduce the issue so we can resolve it as quickly as possible. Usually, an IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require additional information.

What to expect:

• We will respond to your report within 3 working days with our assessment of the notification.
• If you have complied with the conditions above, we will not take legal action against you concerning the report.
• We will treat your report confidentially and will not share your personal information with third parties without your consent, unless required to comply with a legal obligation. Reporting under a pseudonym is possible.
• In any publication concerning the reported issue, we will - if you wish - mention your name as the discoverer.
• If the issue was previously unknown to us and is assessed as valuable, we will offer a reward in the form of a pleasant surprise as a token of our appreciation. The size of the reward depends on the severity of the vulnerability and the quality of the report.

We aim to resolve all issues as quickly as possible. By mutual agreement, it can be determined whether and how the issue will be published once it has been resolved.