Vulnerability Disclosure Policy

Relution Software Security Vulnerability Disclosure Policy #

1. Introduction #

Relution is committed to the security of our products, services, and the data entrusted to us by our customers. We recognize that independent security researchers play a valuable role in identifying vulnerabilities that may otherwise go undetected.

This policy describes how security researchers can engage in authorized vulnerability discovery activities, how to report findings to us, and what they can expect from us in return. We value the work of security researchers who act in good faith to help us maintain a secure environment for our users.

This policy may be updated from time to time. The effective date and version number will be updated accordingly. We encourage researchers to review this policy before conducting any testing.

2. Scope #

2.1 In Scope #

The following assets are within the scope of this policy:

• The Relution platform and its associated services hosted at domains operated by Relution
• Web applications and portals operated by Relution under *.relution.io
• The Relution Docker containers published to Docker Hub
• Mobile applications published by Relution on official app stores
• Public APIs documented at https://live.relution.io/web-api/index.html (registration required)
• The Relution website and related web pages, such as Relution Hub.

2.2 Out of Scope #

The following targets are not authorized for testing under this policy:

• Relution Software operated by our customers, partners, or third parties
• Other Systems, networks, or applications operated by our customers, partners, or third parties
• Third-party services integrated into our platform (e.g., payment processors, identity providers, analytics services)
• Physical premises and facilities of Relution GmbH

If you are uncertain whether a target is in scope, please contact us at security@relution.io before conducting any testing.

3. Rules of Engagement #

3.1 Authorized Activities #

When conducted in accordance with this policy, the following activities are explicitly authorized:

• Analysis of publicly accessible information related to our systems (e.g., DNS records, SSL certificates, publicly available documentation)
• Testing for common web application vulnerabilities (e.g., injection flaws, authentication weaknesses, access control issues, security misconfigurations)
• Examination of API endpoints for security weaknesses
• Analysis of client-side code served by our web applications
• Given they were published by Relution and you have legitimately obtained them through official distribution channels:
  • Analysis of Docker containers and their contents
  • Reverse engineering including decompilation of mobile applications and Java archives and respective class files

3.2 Conditions for Authorization #

To remain within the scope of this authorization, you must:

1. Act in good faith with the sole purpose of identifying and reporting security vulnerabilities
2. Minimize harm: avoid actions that could impact system availability, data integrity, or other users
3. Stop upon discovery: once you have confirmed a vulnerability exists, cease further testing and report your findings; do not attempt to demonstrate impact by accessing additional data or systems
4. Protect data: do not access, copy, modify, or delete data belonging to other users; if you inadvertently access such data, stop immediately, do not save or share it, and include this information in your report
5. Maintain confidentiality: do not disclose vulnerability details to third parties until we have had reasonable opportunity to address the issue and coordinated disclosure has been agreed upon

3.3 Prohibited Activities #

The following methods and behaviors are not authorized under any circumstances, even against in-scope targets:

• Any form of social engineering, phishing, vishing, pretexting, or similar activities against Relution employees or users
• Physical intrusion or physical access attempts
• Denial of service (DoS/DDoS) attacks or any testing intended to degrade service availability
• Automated vulnerability scanning at volumes or frequencies that could impact system performance
• Accessing, downloading, or otherwise exfiltrating customer data, personal data, or confidential business information
• Modifying or deleting data in any system
• Uploading malicious code, backdoors, or persistent access mechanisms
• Attempting to pivot from a discovered vulnerability to access additional systems or data
• Spam or unsolicited bulk messaging
• Sharing access credentials, vulnerability details, or proof-of-concept code with third parties
• Public disclosure of vulnerabilities before coordinated disclosure has been agreed upon

4. Legal Position #

When security researchers comply fully with this policy, Relution commits to:

• Not pursue civil legal action against researchers for activities conducted in accordance with this policy
• Not refer researchers to law enforcement for activities conducted in accordance with this policy
• Work in good faith with researchers who report vulnerabilities to us
• Provide confirmation of authorization upon request for researchers who wish to document their authorized status before commencing testing

This policy constitutes authorization from Relution as the operator of the systems described in Section 2.1. We have established this policy in good faith to protect researchers acting in good faith.

However, this policy cannot and does not guarantee immunity from criminal prosecution. We strongly encourage researchers to document their activities thoroughly and request written confirmation of authorization from us before beginning testing if they have any concerns.

5. Use of Personal Data #

The personal data transmitted in the context of reporting vulnerabilities is used exclusively for the purpose of investigating and remedying the vulnerability and is subject to the data protection regulations in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

6. Reporting Process #

6.1 How to Report #

Please submit vulnerability reports via PGP-encrypted email to: security@relution.io

Our PGP public key is available at keys.openpgp.org. The key fingerprint is: 3594163819E19D4D9FDA35F78BDAB6171E0A12DF.

We also maintain a security.txt.

6.2 What to Include #

To help us understand and address the issue efficiently, please include:

• Description of the vulnerability and its potential impact
• Affected system(s): URLs, application names, version numbers where applicable
• Step-by-step reproduction instructions
• Proof of concept: screenshots, logs, or code samples that demonstrate the vulnerability (without including real user data)
• Your assessment of severity and potential impact
• Your contact information for follow-up questions (may be pseudonymous if you prefer)
• Any sensitive data encountered: if you inadvertently accessed personal or confidential data, describe what was seen without including the data itself

Please submit reports in German or English.

6.3 What Not to Include #

• Do not include actual customer data, personal data, or credentials in your report
• Do not attach malicious payloads or functional exploit code that could cause harm if mishandled

7. Response and Disclosure #

Upon receiving your report, we will acknowledge receipt within five business days and start to validate and triage the reported vulnerability.

Please allow us reasonable time to address the vulnerability: We request a minimum of 90 days from the initial report before public disclosure. This allows us to validate and remediate the issue, verify the fix, and roll it out to all systems and customers.

We might request additional information from you through the established channels. We will keep you informed about the progress of the investigation and remediation.

If the vulnerability has been confirmed, an internal REL identifier number will be created to identify it in communication and later Security Advisories.

Once the vulnerability has been remediated, we will coordinate with you on disclosure timing and details.

8. Recognition and Rewards #

We do not currently operate a monetary bug bounty program. We may establish such a program in the future and update this policy accordingly.

As of today, researchers who report valid vulnerabilities in accordance with this policy are eligible for:

• Public acknowledgment on our Security Advisories page page (with your consent)
• Credit in security advisories related to the reported vulnerability (with your consent)
• A letter of appreciation suitable for professional portfolios (upon request)

Appendix: Vulnerability Examples #

These examples are meant to illustrate which types of vulnerabilities are in or out of scope of this policy.

Qualifying Vulnerabilities #

• Remote code execution
• SQL injection and other injection vulnerabilities
• Authentication or session management flaws
• Authorization bypasses and privilege escalation
• Cross-site scripting (XSS) with demonstrated impact
• Cross-site request forgery (CSRF) with demonstrated impact
• Sensitive data exposure
• Security misconfigurations with clear impact
• Server-side request forgery (SSRF)
• Insecure direct object references

Non-Qualifying Issues #

The following are generally not considered qualifying vulnerabilities:

• Vulnerabilities requiring physical access to a user’s device
• Vulnerabilities in third-party applications or services
• Social engineering attacks
• Denial of service vulnerabilities (please report these, but they are not eligible for recognition under this policy due to the testing limitations)
• Issues identified by automated scanners without demonstrated exploitability
• Missing security headers without demonstrated impact
• Clickjacking without demonstrated sensitive action
• Self-XSS (user can only execute script in their own session)
• CSRF on non-sensitive functionality
• Information disclosure of non-sensitive data
• Software version disclosure without associated vulnerability
• Theoretical vulnerabilities without proof of concept
• Issues already known to us or previously reported