Vulnerability Disclosure Policy (VDP)

IT security is a central component of Mesalvo's strategic direction. We place the highest value on ensuring the confidentiality, integrity, and availability of sensitive information. Nevertheless, vulnerabilities can occur or exist.

We hereby encourage independent security researchers to disclose vulnerabilities to Mesalvo in accordance with the policy presented here.

Procedure for Reporting a Vulnerability or Security Issue

To report a vulnerability or security issue, please proceed as follows:

Before submitting your report, please inform yourself about the cases that are not covered by our Vulnerability Disclosure Policy and will not be processed within this framework.

Send your findings about the security issue via email to isb@mesalvo.com.

We kindly ask you to use the following template:

---

Subject: Vulnerability Report

Title/Name of the vulnerability: _____  
Affected product, incl. version (mandatory): _____  
Exploitation technique:  
    [ ] Remote  
    [ ] Local  
    [ ] Network  
    [ ] Physical  
Description of the vulnerability: _____  
Suspected impact of the vulnerability: _____  
Assumption whether the vulnerability is already being exploited: _____  
Proof of Concept: _____  
Suggested solution or remediation: _____  
Author and contact details including email and phone (optional): _____  
Indicate whether you would like to be credited as the discoverer of the vulnerability:  
    [ ] yes  
    [ ] no

---

Do not exploit the vulnerability or issue by, for example, downloading, modifying, or deleting data or uploading code. Do not conduct attacks on our IT systems that compromise, alter, or manipulate infrastructure or individuals. Do not conduct social engineering (e.g., phishing), (distributed) denial of service, spam, or other attacks against Mesalvo.

Do not share information about the vulnerability with third parties or institutions unless released by Mesalvo.

Provide us with sufficient information to reproduce and analyze the issue. Please also include a way to contact you for follow-up questions.

What We Promise

We will treat your report confidentially and keep you informed about the processing status. We are committed to cooperating with you in the event of a vulnerability report and to remedying reported valid vulnerabilities as quickly as possible.

Qualified Vulnerability Reports

Any design or implementation issue at Mesalvo that is reproducible and affects security can be reported. Examples include:

Cross Site Request Forgery (CSRF)

Cross Site Scripting (XSS)

Insecure Direct Object Reference

Remote Code Execution (RCE) – Injection Flaws

Information Leakage and Improper Error Handling

Unauthorized access to properties or accounts

Data/Information leaks

Possibility of data/information exfiltration

Actively exploitable backdoors

Possibility of unauthorized system usage

Misconfigurations

Non-Qualified Vulnerabilities

The following vulnerabilities and security issues are NOT covered by Mesalvo's Vulnerability Disclosure Policy:

Attacks that require physical access to the user's device or network.

Forms missing CSRF tokens (exception: if severity exceeds Common Vulnerability Scoring System (CVSS) level 5).

Missing security headers that do not directly lead to an exploitable vulnerability.

Use of a library known to be vulnerable or broken (without active proof of exploitability).

Reports generated by automated tools or scans without explanatory documentation.

Social engineering against individuals or entities of Mesalvo and its partners.

Denial of Service attacks (DoS/DDoS - Distributed Denial of Service).

Bots, spam, mass registration.

Submissions of best practices only (e.g., certificate pinning, security headers).

Use of vulnerable or “weak” cipher suites.