Vulnerability Disclosure Policy (VDP)
IT security is a central component of Mesalvo's strategic direction. We place the highest value on ensuring the confidentiality, integrity, and availability of sensitive information. Nevertheless, vulnerabilities can occur or exist.
We hereby encourage independent security researchers to disclose vulnerabilities to Mesalvo in accordance with the policy presented here.
Procedure for Reporting a Vulnerability or Security Issue
To report a vulnerability or security issue, please proceed as follows:
Before submitting your report, please inform yourself about the cases that are not covered by our Vulnerability Disclosure Policy and will not be processed within this framework.
Send your findings about the security issue via email to isb@mesalvo.com.
We kindly ask you to use the following template:
Subject: Vulnerability Report
Title/Name of the vulnerability: _____
Affected product, incl. version (mandatory): _____
Exploitation technique:
[ ] Remote
[ ] Local
[ ] Network
[ ] Physical
Description of the vulnerability: _____
Suspected impact of the vulnerability: _____
Assumption whether the vulnerability is already being exploited: _____
Proof of Concept: _____
Suggested solution or remediation: _____
Author and contact details including email and phone (optional): _____
Indicate whether you would like to be credited as the discoverer of the vulnerability:
[ ] yes
[ ] no
Do not exploit the vulnerability or issue by, for example, downloading, modifying, or deleting data or uploading code. Do not conduct attacks on our IT systems that compromise, alter, or manipulate infrastructure or individuals. Do not conduct social engineering (e.g., phishing), (distributed) denial of service, spam, or other attacks against Mesalvo.
Do not share information about the vulnerability with third parties or institutions unless released by Mesalvo.
Provide us with sufficient information to reproduce and analyze the issue. Please also include a way to contact you for follow-up questions.
What We Promise
We will treat your report confidentially and keep you informed about the processing status. We are committed to cooperating with you in the event of a vulnerability report and to remedying reported valid vulnerabilities as quickly as possible.
Qualified Vulnerability Reports
Any design or implementation issue at Mesalvo that is reproducible and affects security can be reported. Examples include:
Cross Site Request Forgery (CSRF)
Cross Site Scripting (XSS)
Insecure Direct Object Reference
Remote Code Execution (RCE) – Injection Flaws
Information Leakage and Improper Error Handling
Unauthorized access to properties or accounts
Data/Information leaks
Possibility of data/information exfiltration
Actively exploitable backdoors
Possibility of unauthorized system usage
Misconfigurations
Non-Qualified Vulnerabilities
The following vulnerabilities and security issues are NOT covered by Mesalvo's Vulnerability Disclosure Policy:
Attacks that require physical access to the user's device or network.
Forms missing CSRF tokens (exception: if severity exceeds Common Vulnerability Scoring System (CVSS) level 5).
Missing security headers that do not directly lead to an exploitable vulnerability.
Use of a library known to be vulnerable or broken (without active proof of exploitability).
Reports generated by automated tools or scans without explanatory documentation.
Social engineering against individuals or entities of Mesalvo and its partners.
Denial of Service attacks (DoS/DDoS - Distributed Denial of Service).
Bots, spam, mass registration.
Submissions of best practices only (e.g., certificate pinning, security headers).
Use of vulnerable or “weak” cipher suites.