Security Policy

If you find a security issue, please report that to cert@troihost.de.
For encrypted communication, please see our CERT contact page.

We will keep your provided information strictly confidential in any case.
We will not give your personal data to a third party.
We will give you a feedback to your reported vulnerability.
We will not take legal actions against you, as long as you comply to ethical standards and our policy. This does not apply if recognisable criminal intentions have been or are being pursued.
After fixing the vulnerability and only with your approval, we will name you as finder and supporter for the fix in our Hall of Fame.

You have not abused the vulnerability found. This means that no damage was caused beyond the reported vulnerability.
You have not carried out any attacks (such as social engineering, spam, (distributed) DoS or „brute force“ attacks, etc.) against IT systems or infrastructures.
You have not tampered with, compromised or modified any third-party systems or data.
You have not offered any tools for vulnerability exploitation, e.g. on darknet markets, for a fee or free of charge, which third parties can use to commit criminal offences.
The vulnerability report is not the result of automated tools or scans without explanatory documentation. These do not constitute valid vulnerability reports.
The vulnerability report contains previously unknown information.
You should always provide valid contact details (e-mail address) so that we can contact you if we have any queries. Particularly in the case of complex vulnerabilities, it cannot be ruled out that we will require further explanations and documentation. As we attach great importance to good communication, vulnerability reports without communication options (e.g. valid contact details) will only be processed to a limited extent.

If you want to stay anonym, please consider using the coordinated vilnerability disclosure from Federal Office for Information Security (BSI).