A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Our canonical URL
Canonical: https://www.arvato.com/.well-known/security.txt
# Our security address
Contact: mailto: security@arvato.om
Expires: 2025-06-26T23:42:00.000Z
# Our preferred languages
Preferred-Languages: en, de, pl
Hiring: https://career.arvato.com/
# --- For the Humans ---
#
# Arvato operates in multiple countries. A detailed list can be found at https://arvato.com/about/locations
# We host some E-Commerce websites for our customes as part of our business. Identifiable customer systems
# (e.g. by domain or publicly hosted content) are out of scope for this vulnerability management program.
#
# --------------------------------------------------------- Responsible Disclosure Information ---------------------------------------------------------
#
# Arvato's Responsible Disclosure Information
#
# Security is important to Arvato. Despite our efforts we assume that vulnerabilities are still present.
# Currently Arvato does not run a formal bug bounty program and does to reward payouts. You can still report to us.
# Thank you all for your help in keeping us and our customers safe.
#
# What to do to report a vulnerability:
#
#  * E-mail your findings to security@arvato.com
#
#  * Please provide sufficient information to reproduce the problem, so we will be able to evaluate and resolve the
#    problem as quickly as possible. The IP-address or the URL of the affected system and a description of the
#    vulnerability are usually sufficient. Complex vulnerabilities may require a more detailed explanation.
#
#
# We are primarily interested in hearing about the following vulnerability categories:
#  * Sensitive data exposure - Cross Site Scripting (XSS), SQL Injection, etc.
#  * Authentication or Session Management related issues - IDOR (Insecure Direct Object References), use of hard-coded
#    credentials, missing/insufficient MFA etc.
#  * Application logic misconfiguration that could lead to data leakage or not properly validated requests, etc.
#  * Remote Code Execution - Vulnerabilities giving direct access to Arvato Systems Group assets/servers
#  * Other types of clever vulnerabilities or unique issues that do not fall into explicit categories, but still pose a
#    threat to our systems or customers personal information, financial information and brand reputation.
#
#
# What not to do:
#  * Do not test the physical security of Arvato offices, warehouses, employees, equipment, etc.
#  * Do not test using social engineering techniques (phishing, vishing, etc.)
#  * Do not perform DoS or DDoS (Distributed Denial of Services) attacks.
#  * In any way attack our end users or engage in trade of stolen user credentials.
#  * When testing, please only do so on accounts belonging to you. Do not use leaked or compromised accounts belonging to other users.
#  * Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary,
#    or deleting or modifying other people's data to demonstrate the vulnerability.
#  * Do not reveal your findings to third party. We try our best to remediate your findings within 90 days.
#
#
# What we promise:
#  * We will respond to your report as fast as possible (normally within 10 working days but it could be considerably longer
#    during vacation periods) with our evaluation of the report.
#  * We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
#  * We will keep you informed of the progress towards resolving the problem.
#
#
#----------------------------------------------------- End of Responsible Disclosure Information ------------------------------------------------------