Responsible Disclosure

The security of our systems and of the data entrusted to us is our highest priority. Despite all care, vulnerabilities can never be entirely ruled out. If you discover a security vulnerability in one of our systems, we ask you to report it to us responsibly before disclosing it publicly. In return, we treat your report confidentially and will not take legal action against security researchers who act in good faith in accordance with this policy.

Scope

This policy applies to the publicly accessible systems operated by Reepa Solutions:

• reepasolutions.de and all subdomains
• The customer portal and its associated APIs
• Software and applications we publish

Out of scope

Please refrain from the following activities — they are expressly not covered by this policy:

• Denial-of-service (DoS/DDoS) or other tests that impair availability
• Social engineering, phishing against employees or customers
• Physical access to devices or premises
• Automated mass scanning that noticeably burdens our systems
• Vulnerabilities in third-party services (please report these directly to the respective provider)
• Purely theoretical findings without demonstrable impact (e.g. missing headers without a concrete attack vector)

How to report a vulnerability

Send your report to info@reepasolutions.de with the subject “Security Disclosure”. Machine-readable contact information is also available in our security.txt (per RFC 9116).

A helpful report ideally contains:

• A description of the vulnerability and the affected component (URL/endpoint)
• Reproducible steps to reproduce it (proof of concept)
• An assessment of the possible impact
• Your contact details for follow-up questions

Our commitment (Safe Harbor)

If you act in good faith in accordance with this policy, we commit to the following:

• We acknowledge receipt of your report within 3 business days.
• We keep you informed about the status of processing and remediation.
• We treat your report and your identity confidentially and do not pass them on without your consent.
• We will not initiate legal action against you and will not file a complaint, provided you adhere to the rules below.

What we ask of you

• Give us reasonable time to remediate before publishing details (guideline: 90 days).
• Access only as much data as is necessary to demonstrate the vulnerability — and no more.
• Do not modify, delete or publish third-party data, and do not disrupt operations.
• Do not violate anyone's privacy and do not breach applicable law.
• Delete any data obtained during your investigation once the report is concluded.

Reward

Reepa Solutions does not currently operate a formal bug bounty program with monetary rewards. However, we expressly thank you for every responsible report and are happy to name you in a public acknowledgement upon request.

For more information about how we handle data and security, see our Trust Center.

Last updated: June 2026