Responsible Disclosure

Last updated: 19/01/2026


Applies to: 5FSoftware GmbH – 5F Cloud Platform (5f.5fsoftware.de)

 

Purpose
The security of our cloud platform is our highest priority. We welcome reports of vulnerabilities and aim to provide a clear and fair process for reporting and remediation.

Contact
Please report security vulnerabilities confidentially to:

If possible, please include in your report:

  • affected URL/component/version
  • step-by-step description (PoC)
  • impact assessment (e.g., “Is data access possible?”)
  • logs/screenshots (preferably without personal data)

Scope
This policy applies to:

  • our cloud platform (5f.5fsoftware.de), including associated production subdomains
  • our official apps (iOS and Android)
  • our website (5fsoftware.de)

Out of scope are:

  • non-production environments such as development, test, or staging systems
  • third-party systems, services, or accounts, as well as external presences (e.g., social media)

If you are unsure whether something is in scope, please ask briefly before taking action.

Permitted approach (Good Faith)
We allow responsible reporting and careful testing in good faith, under the following conditions:

  • You do not access or modify third-party data.
  • You do not disrupt operations (no interference/overload).
  • You perform only minimally invasive tests (as little as possible, as much as necessary).
  • You report the vulnerability promptly and confidentially via the channel above.

Prohibited activities
In particular, the following are not permitted:

  • Denial-of-Service (DoS/DDoS), load tests/stress tests
  • password guessing, credential stuffing, or automated bulk attempts
  • social engineering, phishing, or exploitation of human factors
  • extracting, modifying, deleting, or exfiltrating data (especially personal data)
  • installing persistence/backdoors or maintaining access
  • testing outside the defined scope
  • publishing details before we have had the opportunity to remediate (see “Coordinated disclosure”)

If you inadvertently encounter third-party data, please stop immediately and inform us without delay.

No legal action by us
If you comply with this policy and act in good faith, 5FSoftware GmbH will:

  • not initiate civil action against you, and
  • not file a criminal complaint insofar as such a complaint is required for prosecution.

This assurance does not apply if:

  • systems are intentionally disrupted
  • third-party data is accessed, modified, or exfiltrated
  • extortion or “ransom” demands are made
  • or tests go significantly beyond what is necessary for verification

Note: This policy cannot prevent action by authorities (e.g., in cases of particular public interest); it describes our approach as the provider.

Data handling and confidentiality
Please avoid collecting personal data. Where technically unavoidable for assessment, limit it to the minimum and do not send us sensitive content. We treat reports confidentially and use them for analysis, remediation, and prevention.

Response and coordinated disclosure

  • We typically acknowledge receipt of your report within 3 business days.
  • We will inform you about the status where possible.
  • Please publish details only after our response and remediation, or after coordinating with us.
  • As a guideline, a period of 90 days from receipt of your report applies; for complex cases, the period can be extended by mutual agreement.

Bug bounty
We currently do not offer a bug bounty program. Regardless, we appreciate responsible disclosures.