We encourage security experts and researchers to report potential vulnerabilities in our IT systems to us. We are particularly interested in information about security vulnerabilities that could compromise the confidentiality or integrity of user data or systems, or that could be used to gain unauthorized access to Abraxas services and products. If you have identified a potential security vulnerability in any of our IT systems, please reach out to us using the link provided to our VDP platform. Please include detailed information and instructions in your report to help our security team reproduce the problem.
Scope
Any public-facing systems owned by Abraxas are in scope, or if you discover vulnerabilities in the usage of one of our applications during your work.
Rules
All activities leading to the discovery of a vulnerability:
- Are within the scope permitted by law (see section Safe Harbor).
- Are within the VDP scope (see section Scope).
- Shall not destroy, interrupt or lower the services and products used and offered by Abraxas (and its customers and partners).
- Shall not leak, manipulate, or destroy any user data.
- Shall respect the intellectual property rights and other rights of Abraxas, its customers and third-parties.
- Shall not result in third-party data to be spied on or disclosed.
- Shall not publicly disclose or share any details about a potential vulnerability, in order to protect our customers and services.
- Shall avoid tests that could cause degradation or interruption of our service (refraining from using automated tools and limiting requests per second).
- Shall strictly follow a «report first» approach (in contrast to «exploit first»). Activities not absolutely necessary to identify a vulnerability shall be omitted, and permission shall be sought for further exploitation.
Safe Harbor
Abraxas values constructive and fair cooperation with participants in the Vulnerability Disclosure Programme (VDP). Abraxas will not take legal action against participants in this VDP, as long as they act in good faith and in accordance with the policy and the provisions of the Code of Conduct (see below) and applicable laws. Under these conditions:
- We interpret activities by participants within this VDP as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis and 144bis.
- We will not file a complaint against participants within this VDP for trying to circumvent the security measures deployed in order to protect the services in-scope for this VDP.
- If legal action is initiated by a third party against a participant within this VDP, we will take reasonable measures supporting the participant to defend the claim of the third party.
How to report security vulnerabilities
All reports should be submitted through our VDP platform.
If there are any uncertainties, contact can also be made via the following email address: servicedesk@abraxas.ch
Code of Conduct
What we expect from you:
- You should provide clear and concise reports in German or English.
- You must include a description of how you discovered the bug.
- You should be aware that reports outside the defined scope will likely not be considered.
- You are responsible for verifying reports from automated tools before submission.
- You respect the privacy and property of others and avoid destroying data or disrupting systems.
What you can expect from us:
- We will provide a prompt response to your report (within 5 business days).
- We will engage in a constructive dialogue to discuss the issue.
- We will offer a timeframe for the deployment of patches and fixes (typically within 90 days, but not guaranteed).
- We will acknowledge researchers who provide valid submissions on our platforms by featuring them in our Hall of Fame list.
