COORDINATED VULNERABILITY DISCLOSURE POLICY

Vision Group (registered as Vision Group Holding AG, Riedwiesenstrasse 23, 8305 Dietlikon, Switzerland, CH-020-3049337-1), including its subsidiaries and affiliates globally, hereinafter referred to as the “Organisation”) considers the security of its systems and the data of its customers, partners, and stakeholders to be a paramount concern. Despite our continuous investments in security, vulnerabilities may still exist in our systems, products, and services.

We welcome individuals with the relevant skills and good intentions who wish to contribute to improving the overall security and reliability of our digital environment. This Coordinated Vulnerability Disclosure Policy («CVDP» or «Policy») defines the conditions under which such cooperation is permitted and encouraged.

By conducting any activities covered by this Policy, you accept that its provisions govern your relationship with the Organisation. This Policy is intended to complement, not replace, applicable legal obligations in any jurisdiction where the Organisation or its systems operate.

2.1 In Scope

This Policy applies to any digital system, service, website, API, or application that is publicly accessible and owned or operated by Vision Group or its subsidiaries. You do not need to find the asset on a predefined list. If it is reachable from the public internet and resolves to infrastructure belonging to the Organisation, it falls within this Policy.

If you are uncertain whether a particular asset belongs to the Organisation, err on the side of caution and ask before testing. You can reach us at [email protected].

2.2 Out of Scope

The following are explicitly excluded regardless of ownership or accessibility:

• Systems or services operated by third-party providers (e.g. cloud platforms, SaaS vendors, CDN providers) where the Organisation does not control the underlying infrastructure;
• Customer systems or environments managed on behalf of customers;
• Internal, non-public, staging, or development environments not reachable from the public internet;
• Social engineering, phishing, vishing, or any other deceptive practices targeting Organisation employees, contractors, or customers;
• Physical security testing (e.g. access to offices or data centres);
• Denial of Service (DoS / DDoS) attacks or any testing likely to degrade service availability;
• Automated scanning at a rate or scale that may impact service performance.

Research on systems that turn out to belong to third parties not covered by this Policy is your responsibility. If during your research you discover an asset you believe belongs to the Organisation but behaves unexpectedly, stop and report it rather than continuing to test.

This Policy is open to any individual acting in good faith who meets the conditions described herein. Participation is voluntary. The Organisation reserves the right to restrict participation at its sole discretion, including revoking access to specific individuals who violate this Policy.

Current employees of the Organisation and individuals who have worked under contract for the Organisation within the past twelve (12) months are not eligible for any reward under this Policy, although they are encouraged to report vulnerabilities through internal security channels.

When investigating potential vulnerabilities in Organisation systems, you warrant that you will at all times comply with the following principles:

• You do not use any techniques or tools that may disrupt, degrade, or deny availability of any Organisation service or system;
• You do not delete, modify, corrupt, or otherwise alter Organisation data, configurations, or system parameters in any way;
• You do not copy, retain, or exfiltrate Organisation data beyond what is strictly and minimally necessary to demonstrate the existence of a vulnerability, after which any such data must be securely and permanently destroyed;
• You do not use social engineering, phishing, brute force, password theft, or credential stuffing techniques;
• You do not attempt to pivot from a discovered vulnerability to access additional systems, escalate privileges, or move laterally beyond what is minimally necessary to confirm the vulnerability;
• You do not share access, credentials, or data obtained during your investigation with any third party;
• You do not exploit personal data accessed incidentally during your investigation. Any such data must be treated as strictly confidential, used solely to demonstrate the vulnerability, and deleted immediately thereafter;
• You conduct your research in a manner that minimises impact on real users and live data, preferring test environments, sandboxes, or dedicated test accounts where available;
• You do not install malware, backdoors, ransomware, or any other malicious software on Organisation systems;
• You do not intercept, record, or take cognisance of electronic communications not accessible to the public, except where this occurs entirely accidentally and incidentally in the course of vulnerability research, in which case such data must not be used, retained, or disclosed;
• If you wish to engage a third party to assist with your research, you must ensure that such third party is aware of this Policy and bound by its terms before commencing any activity.

5.1 How to Submit

Vulnerability reports must be submitted by email to [email protected] with the subject line «Responsible Disclosure». Do not use general customer service channels, social media, or public forums to report security vulnerabilities.

5.2 What to Include

When reporting a vulnerability, provide as much of the following information as possible to enable the Organisation to reproduce and assess the issue:

• A clear description of the vulnerability, including its type (e.g., XSS, IDOR, SQLi, SSRF) and affected component;
• The URL, hostname, API endpoint, or system identifier where the vulnerability was discovered;
• Step-by-step reproduction instructions, including HTTP requests/responses, payloads used, and tools employed;
• Proof-of-concept code, screenshots, or screen recordings demonstrating the issue (without accessing real user data where possible);
• Your assessment of the potential impact and exploitability;
• Your contact details for follow-up communication.

5.3 Your Obligations When Reporting

When reporting a vulnerability you warrant that:

• You report the vulnerability to the Organisation without undue delay from the moment of discovery;
• You do not disclose the vulnerability, your investigation, or any related information to any third party without the prior written consent of the Organisation, except where required by applicable law;
• You do not publicly disclose details of the vulnerability before the Organisation has had a reasonable opportunity to investigate and remediate it, and in any event not before mutual agreement on the terms of any disclosure;
• You provide all information reasonably requested by the Organisation to verify and reproduce the finding.

The Organisation commits to the following in response to good-faith vulnerability reports submitted in accordance with this Policy:

• Acknowledge receipt of your report within five (5) business days;
• Provide you with an initial assessment of the report’s validity and severity within fifteen (15) business days of acknowledgement, where possible;
• Keep you informed of progress on investigation and remediation at reasonable intervals;
• Aim to remediate confirmed, critical vulnerabilities within ninety (90) calendar days of confirmation, and use reasonable efforts for vulnerabilities of lower severity. Timelines may vary depending on complexity, third-party dependencies, and applicable regulatory requirements;
• Seek your input before any public disclosure of a vulnerability you reported;
• Not pursue civil or criminal legal action against a participant who discovers and reports vulnerabilities in good faith and in full compliance with the terms of this Policy.

The Organisation usually does not currently offer monetary or non-monetary rewards for vulnerability reports that meet the following criteria:

• The report is submitted in accordance with the reporting instructions in section 5;
• The vulnerability is confirmed as valid and previously unknown to the Organisation;
• The report provides sufficient detail to enable reproduction and remediation;
• The participant has complied with all obligations under this Policy during their investigation and reporting.

The value of any reward, where applicable, is determined solely at the discretion of the Organisation and will take into account the severity, impact, and quality of the report. The Organisation reserves the right to modify or discontinue its reward programme at any time.

Any request for compensation made outside the conditions established by this Policy may be treated as an attempt at extortion and reported to the competent authorities.

8.1 Confidentiality of Vulnerability Information

All information exchanged between the participant and the Organisation in the context of this Policy is strictly confidential. The participant must not share, publish, or otherwise disclose any information relating to the investigation or the vulnerability without the prior written consent of the Organisation. Public disclosure of a vulnerability before remediation poses a risk to the Organisation’s users and systems, and may result in legal consequences for the disclosing party.

Where a vulnerability affects, or may affect, other organisations (for example, through shared third-party components, supply chain dependencies, or common infrastructure), the Organisation will coordinate disclosure with the affected parties and, where appropriate, with the relevant national cybersecurity authority (e.g., the national CERT / CSIRT of the relevant jurisdiction). Participants are encouraged to flag such broader impact when submitting their report.

8.2 Personal Data

This Policy is not intended to authorise the intentional collection or processing of personal data belonging to Organisation customers, employees, or third parties. The Organisation processes personal data in connection with this Policy (such as a participant’s contact details) in accordance with its Privacy Policy and applicable data protection law, including, where relevant, the EU General Data Protection Regulation (GDPR).

Where a participant incidentally accesses personal data during their investigation, they must:

• Not retain, copy, or use such personal data beyond what is strictly necessary to demonstrate the vulnerability;
• Delete any personal data obtained as soon as the vulnerability has been documented;
• Notify the Organisation promptly if they believe personal data has been exposed or at risk as a result of the vulnerability.

The participant may be considered a data processor acting on behalf of the Organisation with respect to any personal data incidentally processed. Participants must comply with applicable data protection obligations accordingly.

The protections afforded by this Policy apply only to participants who act in good faith and in full compliance with its terms. Good faith means, among other things:

• You have no fraudulent intent, intent to cause harm, or intent to use or profit from any access or data beyond what is strictly necessary for legitimate vulnerability research;
• You do not use vulnerabilities discovered under this Policy to access, extract, or manipulate data for personal gain or the benefit of any third party;
• You do not use the Organisation’s systems or data as a stepping stone to attack third parties;
• You act proportionately: once a vulnerability has been demonstrated, you stop and report it rather than continuing to exploit it.

Vision Group operates across multiple jurisdictions. This Policy is designed to be consistent with widely recognised frameworks for coordinated vulnerability disclosure, including ISO/IEC 29147 (Vulnerability Disclosure) and ISO/IEC 30111 (Vulnerability Handling Processes), as well as guidance published by ENISA (European Union Agency for Cybersecurity).

Participants are responsible for ensuring that their activities comply with the laws of the jurisdiction(s) in which they conduct their research. This Policy does not constitute a waiver of any legal right or remedy available to the Organisation, nor does it exempt participants from liability arising from conduct that falls outside the scope of this Policy.

This Policy is governed by the laws of Switzerland. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Zurich.

To the extent that the Organisation’s systems are located in or affect users in the European Union, relevant EU legislation, including the NIS2 Directive and the GDPR, may also apply. The Organisation complies with its obligations under such legislation independently of this Policy.

Vision Group reserves the right to amend this Policy at any time. The current version will always be published on the Organisation’s website. Participants are encouraged to review the Policy before commencing any investigation.

For any questions about this Policy or to report a vulnerability, please contact: