Vulnerability Disclosure Policy

Coordinated Vulnerability Disclosure

Vulnerability Disclosure Policy (VDP) for Password Depot

Effective: 10 March 2026

Report a Vulnerability Security Advisories
Safe Harbor Scope 48h Acknowledgement Coordinated Disclosure
Purpose & Scope

Purpose of This Policy

AceBIT GmbH welcomes reports of security vulnerabilities in Password Depot and in related product-based web services maintained by AceBIT. This policy describes how security researchers can report potential vulnerabilities, which rules apply to security research, and what commitments AceBIT makes within the framework of coordinated disclosure.

Reports may be submitted in German or English.

Scope

  • Password Depot Enterprise Server
  • Password Depot Windows Client
  • Password Depot macOS Client
  • Password Depot Linux Client
  • Browser Extension (Chrome, Edge, Firefox)
  • Mobile Apps (iOS, Android)
  • Product-related web services under password-depot.de

Including third-party components insofar as they are part of the products listed above.

Not in Scope

  • Production customer environments, custom installations and other third-party systems
  • Services or infrastructures operated by third parties that are not part of Password Depot
  • Social engineering, phishing, physical attacks, spam, brute force, credential stuffing, mass scanning or denial-of-service testing
Safe Harbor

Safe Harbor

If you act in good faith, comply with this policy, limit your tests to the scope described above and do not access, modify, delete, exfiltrate data or impair services, we will – to the extent legally permissible – refrain from civil claims arising from such security research.

To the extent within our control and legally permissible, we will also not file criminal charges in connection with such security research.

This does not apply to actions outside the scope, tests against customer or other third-party systems, data protection violations, operational disruptions or other violations of applicable law.

This policy does not constitute permission for testing outside the scope described herein.
Guidelines

Our Expectations of Security Researchers

1 Act carefully, in good faith and limit your testing to what is necessary to demonstrate the vulnerability in a reproducible manner.
2 Do not access real customer data. If you inadvertently gain access to personal or other sensitive data, stop the test immediately and notify us without delay.
3 Do not modify, delete, exfiltrate or publish any data.
4 Do not perform tests that could impair systems or services or degrade their availability.
5 Do not use social engineering, phishing, physical attacks and do not install backdoors or persistence mechanisms.
6 Do not share details publicly before we have jointly agreed on a coordinated disclosure date.
Reporting

How to Report a Vulnerability

Submit a Report

Please send your report to:

security@password-depot.de

Please include

  • Affected product, version, build and component
  • Description of the vulnerability
  • Steps to reproduce / proof of concept
  • Your assessment of impact and severity
  • Test environment, configuration and prerequisites
  • Contact details and, if desired, whether you would like to be credited
Please do not send unnecessary personal data or large data sets from production environments.

Confidentiality

We treat your report and – if you wish – your identity confidentially, to the extent legally permissible. We only publish your name with your prior consent.

Disclosure of your information occurs only to the extent necessary for the review, remediation and coordinated disclosure of the vulnerability or to fulfil legal obligations.

Process

What Happens After Your Report

Acknowledgement 48 Hours We acknowledge receipt of your report.
Initial Assessment 7 Days We inform you whether we classify the report as valid, duplicated, out of scope or currently not reproducible.
Ongoing Updates every 30 Days We keep you informed of the progress until resolution or until the coordinated disclosure.
Disclosure

Coordinated Disclosure and Security Advisories

Once a security update or other effective remediation is available, we generally publish a security advisory for confirmed vulnerabilities that require remediation.

If immediate publication would compromise the security of our users, we may delay publication until an appropriate time.

An Advisory Contains at Minimum

  • A description of the vulnerability
  • The affected products and versions
  • Impact and severity
  • Clear guidance on remediation or mitigation

Note on Statutory Reporting Obligations

If a report indicates an actively exploited vulnerability or a severe security incident, we may be legally obligated to transmit the necessary technical information to the competent authorities, the relevant CSIRT and ENISA, and to notify affected users.

We only disclose your identity in this context to the extent legally required.

Acknowledgement

We currently do not offer financial rewards or bug bounty payments unless expressly announced separately.

If you wish, we will credit you by name after the vulnerability has been resolved in a security advisory or acknowledgement. Please let us know with your report.

AceBIT GmbH Schleiermacherstr. 10 · 64283 Darmstadt · Germany
Email: security@password-depot.de
Report a Vulnerability