At ista SE, we take the security of our products, systems and services very seriously and work continuously to identify and remediate potential vulnerabilities. Our Coordinated Vulnerability Disclosure Program (CVDP) is to enable security researchers to report potential vulnerabilities in our products, systems and services without risk of legal or ethical conflict.

As part of this CVDP, and to ensure an open, transparent and trustworthy collaboration between security researchers and our company, we expect security researchers to adhere to the following points and procedures:

1. Vulnerability reporting 

If you have discovered a potential vulnerability in an ista SE product, service or IT system, please notify us immediately. A special reporting form is available further down on this page.

2. Responsibility 

We expect you to keep your potential discovery of a vulnerability confidential and not to share it with any third party and, after reporting it, not to interact with the potential vulnerability in any way and further not to exploit it for manipulation, compromise, or modification of products, systems and services, and not to download, modify, or delete any data.

Further, we expect you to comply with applicable laws.

3. Clear description

Your report should include a clear description of the potential vulnerability and information that will help us track and understand the vulnerability. Please include:

- A description of the potential vulnerability itself.
- How the potential vulnerability was discovered.
- Whether and how the potential vulnerability can be exploited.
- What happens if the potential vulnerability is exploited and
- Where it was found (URL, system, IP, ...).

4. Contact information

In order to process your report effectively, we ask that you provide us with your contact information. This enables us to contact you for further information on your report if necessary. Encrypted communication via PGP is possible by arrangement.

5. Time frame

We will respond to your hint in the short term and contact you.

6. Transparency

We will keep you informed about the progress of the processing.

7. Recognition

If you are a security researcher who discovers a vulnerability and reports it according to our CVDP's guidelines and procedures, we provide you with the opportunity to publish your name, social media presence, and date of discovery in our Hall of fame.