Information Security and Data Protection are key priorities for the x-tention group. Both are essential in order to protect the data of our customers from unauthorized access and manipulation in the best possible way. Despite major investments in security and regular reviews of our standards, it cannot be entirely ruled out that vulnerabilities may emerge.

We therefore ask all individuals, companies and organisations who may discover a security-relevant issue or vulnerability in any of our systems, networks, software or services to notify us immediately. This will help us to initiate appropriate countermeasures promptly and remediate vulnerabilities in a timely manner.

We kindly ask you to:

• Send us your discovery to Click to view email. If you wish to transmit the information in encrypted form, please contact us in advance at the mentioned email address. We will then inform you about the next steps.
• Provide us with sufficient information to reproduce the problem and rectify it without undue delay. Usually, the IP address or the URL of the affected system with a description of the vulnerability respectively attack should be sufficient. For more complex vulnerabilities, further explanations may be necessary, which we will request from you if required.
• Do not exploit the vulnerability by downloading, manipulating or deleting data!
  If you have accidentally downloaded confidential information, delete it immediately!
• Do not disclose the vulnerability to any third party until it has been fixed!
• Do not carry out any attacks on the physical security of our premises and systems, social engineering attacks or distributed denial of service attacks (DDoS attacks).
   

We assure you:

• We take all reports seriously. We will investigate any potential vulnerabilities and fix identified issues as soon as possible!
• We will reply to your report within 48 hours and keep you regularly informed about our progress on resolving the issue.
• Provided that you comply with the instructions above, no legal action will be taken against you.
• Your report is treated confidential and we will not share any personal information with third parties.
• We will inform affected stakeholders about the vulnerability without undue delay.
• If you explicitly request it, your name will be mentioned as discoverer of the vulnerability in public communication.
   

This Responsible Disclosure Policy is based on the Responsible Disclosure Guideline of the National Cyber Security Centre, written by Floor Terra.