Coordinated Vulnerability Disclosure Guidelines

• Avoid unauthorized sharing. During the coordinated disclosure process, please only discuss the vulnerability with the affected vendor, the system owner, and us.
• Give time for a fix. Wait to publicly disclose the vulnerability until the affected parties have had sufficient time to address it, or until you and all parties—including PrevCheck—have reached a disclosure agreement.
• Keep interactions to a minimum. After you have reported a vulnerability, do not interact with the affected system again during the coordinated disclosure process.
• Limit your scope. When demonstrating a proof of concept, only perform the minimum actions necessary. Do not download, modify, or delete any data beyond what is required.
• Do not exceed your access. Avoid elevating privileges or exploring a system beyond the minimum needed for your proof of concept. Use only your own accounts for testing and never exfiltrate other users' data.
• Use ethical methods. Do not use brute-force or social engineering techniques to gain access to a system.
• Avoid malicious actions. Do not conduct denial-of-service attacks or install malware or viruses.
• Provide IP addresses. Whenever possible, include the IP addresses you used during your discovery. This helps us assess potential exploitation and reduce false positive alerts.
• Communicate your plans. If you intend to publicly disclose your findings, for example, in a talk or article, please let us know ahead of time.

What to Expect from Our CVD Program

• Legal Protections. As long as you follow our guidelines, act in good faith, and have no malicious intent, you will not face civil or criminal action from us for reporting a vulnerability.
• Confidentiality & Anonymity. Your report will be treated as confidential. You can choose to remain anonymous, and we will not share your personal data with any third parties without your explicit consent.
• Recognition. We are happy to credit you by name or nickname as the reporter of a vulnerability once the issue is resolved.
• Timely Response. You will receive a confirmation of your report within 3 business days, and we will triage the issue within 5 business days.
• Communication. We will keep you informed about the progress of the vulnerability remedy, and in the case of a CVE publication, we will coordinate the disclosure with all involved parties.
• Monetary Reward We are a 2-person startup with limited resources. Nevertheless to honor your skills we are offering a reward of 250 CHF for qualifying technical vulnerabilities that expose sensitive user data. To be payed by bank transfer, cryptocurrencies or cash.