Responsible Disclosure Policy – Non-Binding Guideline

This Responsible Disclosure Policy is not a contractual agreement and does not create any legal claims. It serves as a non-binding guideline for security researchers who wish to handle potential vulnerabilities responsibly.

Reporting Security Vulnerabilities

Please report potential security vulnerabilities to:

it-sec@klicktipp.com

Requested information:

  • Description of the vulnerability: What did you notice and why do you consider it relevant to security?
  • Steps to reproduce: How can we reliably reproduce the behavior?
  • Potential impact: What risks could arise from the vulnerability?
  • Optional contact information: Send us your contact details so we can get in touch with you if we have any questions.

Permitted and non-permitted actions

Allowed: Not allowed:
Non-destructive security testing
Brute-force attacks
Use of your own test accounts
Denial-of-Service
Proof-of-concepts without sharing or accessing third-party data
Social engineering / phishing
Circumvention of data protection requirements
Accessing accounts or data belonging to others

Scope

This policy applies exclusively to services and systems under klicktipp.com, klick-tipp.com, and their subdomains.

Process & Timelines

  • Incoming reports are usually confirmed within 7 days.
  • Prioritization and assessment by the internal security team.
  • Target: Fix within 60 days.
  • Public disclosure by the researcher is only permitted after coordination and after the issue has been fixed.

Legal Notice

  • This policy does not grant legal immunity, neither towards government authorities nor third parties.
  • It does not constitute a promise to refrain from taking legal action.
  • In case of violations—especially unauthorized access to personal data or other unlawful actions—KlickTipp expressly reserves the right to take legal steps.
  • Compliance with the policy may be taken into positive account but does not establish any legal entitlement.

Bug Bounty Program

Classification according to CVSS 3.1:

  • Critical (9.0–10.0) → up to €1,500
  • High (7.0–8.9) → up to €750
  • Medium (4.0–6.9) → up to €300
  • Low (0.1–3.9) → up to €100
  • Informational / Best Practice → Listing in the Hall of Fame (upon request)

Payouts may be granted under these conditions:

  • Payouts are voluntary and without legal claim.
  • The final decision on the type and amount lies solely with Klick-Tipp Ltd.
  • Requirements for eligibility:
    • The report is the first of its kind,
    • It is reproducible,
    • No legal requirements were violated,
    • The responsible disclosure process was followed.

Acknowledgment

With the consent of the reporting person, their name may be listed in our Hall of Fame.