Responsible Disclosure

Guidelines for responsible disclosure

The security of our systems and products is very important to us and has the highest priority. Despite all the efforts we invest in our technologies, vulnerabilities can still occur. Should you discover any vulnerabilities, we would be pleased to hear from you.

Rules of the game

Do not share information about the security problem with third parties until the problem has been resolved.
State how and when the vulnerability or malfunction occurs.
Clearly describe how this problem can be reproduced and provide information about the procedure used and the time of the investigation.

Use your knowledge of the safety problem responsibly. Do not take any actions that go beyond what is necessary to make the security problem known. Do not exploit the vulnerability maliciously and do not store any confidential data that has been obtained due to the vulnerability in the system.

If necessary, please leave your contact details (e-mail address or telephone number) so that we can contact you to assess and progress the elimination of the vulnerability. We also take anonymous reports seriously.

Our Responsible Disclosure Policy does not constitute an invitation to actively and comprehensively check our company network for vulnerabilities. We monitor our networks ourselves.

The problem may only be published, if at all, in consultation with the Group.

Outside the scope of the Directive

The vulnerabilities listed below are not required to be submitted under the Responsible Disclosure Policy. Vulnerabilities outside the scope of the policy are:

  • Physical attacks against data centers or the Group's property
  • Social engineering attacks targeting employees or customers (for example: falsifying login pages, customer service, social media)
  • Distribution of spam
  • Denial of service attacks
  • Missing HTTP security headers without specific effects
  • Errors that can only be exploited by clickjacking
  • Self-XSS
  • Vulnerabilities that require unlikely user interaction (for example: deactivation of browser protection measures)
  • Disclosure of information marked as public
  • Attacks that require a man-in-the-middle

What you can expect from us

If you choose to share your contact information with us, we are committed to sharing this information with you as openly and as quickly as possible.

We guarantee a response within 5 working days.

In the meantime, we will endeavor to keep you informed of progress in solving the problem.

We will treat your report confidentially and will not share your personal information with third parties without your consent, unless required by law or court order.

We will decide together with you whether and how to report on the reported problem.

Disclosure of security vulnerabilities

To disclose a possible security vulnerability, please send the information to the following address:

disclosure@cal.at

We thank you for your support in protecting our services and data in the best possible way.