Responsible Disclosure

WeSendit Media AG attaches the highest value to the security of its systems, applications, and processed data. Despite appropriate technical and organizational security measures, it cannot be ruled out that vulnerabilities may occur.

This policy regulates how security vulnerabilities can be reported and under which conditions WeSendit supports responsible disclosure.

The goal of this policy is to give security researchers, IT experts, and third parties a clear framework within which potential security vulnerabilities can be reported in a legally secure manner.

WeSendit pursues the principle of coordinated disclosure. Security vulnerabilities should first be reported confidentially so that a remedy can take place before public announcement is considered.

This policy applies to all digital services, systems, and digital owned media of WeSendit Media AG, in particular: WeSendit.com and associated subdomains, WeSendit.Community, APIs, and internal platform services.

Not covered are systems or services of third parties, even if they are technically integrated. For these, the respective security and disclosure policies of the third-party providers apply.

Security vulnerabilities are to be reported exclusively via the official contact point support@wesendit.com.

The report should contain: a detailed description of the vulnerability; the affected systems or URLs; step-by-step instructions for reproduction; and, if applicable, technical evidence or a proof-of-concept.

Please refrain from public disclosure or sharing with third parties until the vulnerability is fixed or WeSendit gives explicit consent.

Persons who investigate or report security vulnerabilities commit to: act exclusively in good faith; do not unauthorizedly modify, delete, or manipulate data; do not access data that is not required to prove the vulnerability; do not intentionally overload or affect systems; and do not apply social engineering or physical attack methods.

Tests are to be restricted to the necessary minimum to prove the existence of the vulnerability. Exploiting a security vulnerability or its public release without prior coordination is inadmissible.

Upon receipt of a report, WeSendit will: confirm receipt; verify the reported vulnerability; perform a risk assessment; and take appropriate technical and organizational measures.

WeSendit endeavors to process reports promptly but assumes no obligation to meet specific deadlines. Coordinated publication after remediation can occur in agreement with the reporting person.

Insofar as a security vulnerability is reported in accordance with this policy and in good faith, WeSendit will refrain from legal action in connection with the report itself.

This assurance does not apply if: security vulnerabilities were abused; data was obtained or published without authorization; systems were intentionally affected; or other unlawful acts were carried out.

This policy does not establish a claim to financial compensation or other consideration, unless a separate bug bounty program is active.