Vulnerability Disclosure Policy

Autobahn Security welcomes reports from the security research community. This policy explains what you may test, the rules for doing so, and what you can expect from us in return.

Scope

The following assets are in scope for good-faith security research:

  • autobahn-security.com
  • *.autobahn-security.com (all subdomains, including our production app)

Findings that affect the confidentiality, integrity, or availability of these systems or the data they process are in scope.

Out of scope

  • Any system we do not own or operate (third-party SaaS, CDNs, payment providers, registrars, and identity providers).
  • Using the Autobahn Security platform to scan or probe assets you do not own. Our product is intended for scanning your own assets. Directing it at third parties without their authorization is platform abuse rather than security research, and may result in suspension of your account. For details on permitted platform use, see our Terms of Use.
  • Physical offices, employee residences, and personal devices.
  • Social engineering or phishing of our staff, customers, or partners.
  • Internal networks and VPNs not reachable from the in-scope assets.

If you are unsure whether an asset is in scope, contact us before testing at:
securityteam [@] autobahn-security.com.

Findings we generally consider informational

Unless you can demonstrate a concrete, exploitable impact, the following are
typically closed as informational and are not eligible for recognition:

  • Missing security headers without a working exploit.
  • SPF/DKIM/DMARC issues on domains that do not send mail.
  • TLS configuration issues that do not enable a practical attack.
  • Clickjacking on pages without sensitive actions.
  • Self-XSS requiring the victim to paste a payload.
  • CSRF on endpoints with no state change.
  • Open redirects without a demonstrable security impact.
  • Rate-limiting, brute-force, or denial-of-service reports without measurable impact.
  • User or email enumeration on signup or password-reset pages.
  • Automated scanner output without manual validation.

Rules of engagement

By testing under this policy, you agree to:

  1. Make a good-faith effort to avoid harm — do not degrade service, modify or destroy data, or access more than is necessary to demonstrate the issue.
  2. Test only the in-scope assets above, using your own test accounts.
  3. Stop and notify us immediately if you encounter personal data, credentials, or payment data.
  4. Keep your proof of concept minimal — do not pivot, escalate, exfiltrate, or establish persistence.
  5. Avoid denial-of-service attacks, spam or mass-mailing, malware, and high-volume automated scanning (keep traffic under roughly 5 requests per second per host).
  6. Give us a reasonable opportunity to remediate before disclosing publicly.

How to report

Send reports to securityteam [@] autobahn-security.com. The mailbox is monitored on business days (Mon–Fri, CET), and critical issues are escalated immediately.

We do not yet publish a PGP key, so please avoid including raw exploit payloads, credentials, or customer data in your email — use redacted excerpts.

To help us triage quickly, please include:

  • A one-line summary of the issue and its impact.
  • The affected URL or host.
  • Clear, numbered steps to reproduce.
  • A minimal proof of concept (screenshots, requests, or a short script).
  • A realistic assessment of what an attacker could achieve.
  • The name or handle you would like to be credited under (optional).

Recognition

As an early-stage company, we do not currently operate a paid bug-bounty program. For valid reports of previously unknown vulnerabilities, we offer:

  • Public acknowledgement on our security acknowledgements page, under your chosen handle.
  • A reference letter for confirmed, remediated findings, on request.

We may decline recognition for duplicate, out-of-scope, or policy-violating reports.

Safe harbor

If you make a good-faith effort to comply with this policy, we will consider your research authorized. We will not pursue legal action against you for activity that adheres to these guidelines, and if a third party brings a claim against you for such activity, we will make clear that you were acting in accordance with this policy.

Contact

  1. Home
  2. Vulnerability Disclosure Policy