#  HiSolutions Coordinated Vulnerability Disclosure Policy (CVD)

1. PURPOSE & SCOPE
We encourage good-faith security research and welcome reports.
This policy does NOT apply to third-party products we merely resell or support.

2. SAFE HARBOUR (OUR COMMITMENT)
– We will treat every vulnerability report as confidential within legal limits.  
– We will not share personal data without your explicit consent.  
– We will acknowledge your report within 7 business days and keep you
  informed.  
– We will not pursue civil or criminal action if you act in good faith and
  comply with this policy (criminal intent excluded).  

3. WHAT WE EXPECT FROM YOU
Please:
- Do no harm – avoid privacy violations, service disruption or data loss.  
- Restrict testing to your own accounts or systems with explicit consent.  
- Stop testing and report immediately after finding a vulnerability.  
- Provide a clear, non-destructive proof-of-concept (PoC).  
- Keep the information confidential for up to 90 days or until we publish
   a fix, whichever is sooner, unless we mutually agree otherwise.  
- Leave no backdoors, tools or accounts behind and delete acquired data
   after we confirm receipt.  
- Include valid contact details (min. an email address for follow-ups).

4. OUT-OF-SCOPE
– Denial-of-Service or spam campaigns  
– Social-engineering of staff or customers  
– Automated vulnerability scans without prior coordination  
– Missing security-headers without proven exploitability

5. REWARD
We currently do not offer monetary bounties.

6. LEGAL NOTICE
This policy is governed by German law. Mandatory consumer protection and
data-protection statutes remain unaffected.

Thank you for helping HiSolutions
Last update: 2025-05-07