Vulnerability Disclosure Policy

Version: 2026-03-11

1. Purpose and Scope

1.1. AtroCore GmbH (hereinafter also referred to as the Company) is committed to maintaining the security of its software products, platform services, and internal systems. The security of the data entrusted to us by our customers, partners, and users is of the highest importance.

1.2. This Vulnerability Disclosure Policy (VDP) establishes a transparent and structured process for external security researchers, customers, partners, and members of the public (hereinafter referred to as Reporters) to report suspected or confirmed security vulnerabilities affecting AtroCore's products and systems in a responsible manner.

1.3. This policy applies to all software, services, APIs, and infrastructure operated or maintained by AtroCore GmbH, including but not limited to:

  • The AtroCore platform and its REST API
  • Import/Export Feed interfaces
  • AtroCore-hosted SaaS environments
  • AtroCore public-facing websites and web applications

1.4. This policy does not apply to vulnerabilities in third-party software or services that AtroCore does not develop or control, even if such software is used in connection with AtroCore products. Reporters are encouraged to report such issues directly to the relevant vendor.

2. Our Commitment

2.1. AtroCore GmbH is committed to working collaboratively and in good faith with security researchers and the broader security community. In return for responsible disclosure in accordance with this policy, AtroCore commits to the following:

2.2. The Company will acknowledge receipt of a vulnerability report within 5 business days of receiving it.

2.3. The Company will investigate all reported vulnerabilities promptly and keep the Reporter informed of the progress of the investigation to the extent permitted by confidentiality and legal considerations.

2.4. The Company will not pursue legal action against Reporters who discover and report vulnerabilities in good faith and in compliance with this policy.

2.5. The Company will treat all submitted reports with confidentiality and will not share the Reporter's personal information with third parties without the Reporter's explicit consent, unless required to do so by law.

2.6. The Company will work to remediate confirmed vulnerabilities within the timeframes set out in Section 6 of this policy and will notify the Reporter once the remediation has been completed.

3. Responsible Disclosure Guidelines

3.1. Reporters are expected to act in good faith and to conduct their research in a manner that does not cause harm to AtroCore, its customers, or any individuals whose data may be involved.

3.2. When investigating a potential vulnerability, Reporters must not:

  • Access, modify, delete, or exfiltrate data belonging to AtroCore or its customers beyond what is strictly necessary to demonstrate the existence of the vulnerability
  • Perform denial-of-service attacks or any other action that degrades the availability or performance of AtroCore systems
  • Introduce malware, backdoors, or any other malicious code into AtroCore systems
  • Perform social engineering attacks against AtroCore employees, contractors, or customers
  • Disclose any information about a vulnerability to third parties or publicly before AtroCore has had a reasonable opportunity to investigate and remediate it
  • Use automated scanning tools against production environments without prior written approval from AtroCore

3.3. Reporters who comply with this policy will be considered to have acted in good faith, and AtroCore will not take legal action against them in connection with their research activities.

3.4. AtroCore encourages Reporters to use dedicated test or staging environments where available for security research purposes. If a Reporter is uncertain whether a particular testing activity is permitted, they should contact AtroCore before proceeding.

4. How to Report a Vulnerability

4.1. Security vulnerabilities should be reported to the AtroCore Information Security Team by sending an email to the Data Protection Officer at with the subject line: "Vulnerability Report – [brief description]".

4.2. To enable AtroCore to assess and respond to the report efficiently, Reporters are asked to include the following information where possible:

  • A clear and concise description of the vulnerability, including its type (e.g. SQL injection, broken access control, information disclosure)
  • The affected product, service, or system, including version numbers where known
  • A step-by-step description of how to reproduce the vulnerability
  • The potential impact of the vulnerability, including what data or functionality could be affected
  • Any supporting evidence such as screenshots, proof-of-concept code, or HTTP request/response captures
  • The Reporter's contact details, should AtroCore need to follow up

4.3. Reports may be submitted in English or German.

4.4. AtroCore does not currently operate a bug bounty programme. Vulnerability reports are accepted on a voluntary basis and without financial compensation unless explicitly agreed otherwise in writing.

5. Severity Classification

5.1. Upon receipt of a report, AtroCore will assess the severity of the reported vulnerability using the following classification:

Critical refers to vulnerabilities that allow unauthorized access to sensitive personal data or confidential customer data, remote code execution, complete system compromise, or any issue likely to result in a personal data breach as defined under GDPR Article 33.

High refers to vulnerabilities that allow significant unauthorized access to systems or data, privilege escalation, or bypass of core authentication or authorization controls.

Medium refers to vulnerabilities that present a meaningful security risk but require specific conditions or user interaction to exploit, or that have a limited impact on the confidentiality, integrity, or availability of data.

Low refers to vulnerabilities with minimal exploitability or impact, including informational issues, minor misconfigurations, or findings that present a theoretical rather than a practical risk.

6. Remediation Timeframes

6.1. AtroCore is committed to remediating confirmed vulnerabilities within the following target timeframes, measured from the date on which the vulnerability is confirmed:

Critical severity vulnerabilities will be addressed within 72 hours.

High severity vulnerabilities will be addressed within 7 calendar days.

Medium severity vulnerabilities will be addressed within 30 calendar days.

Low severity vulnerabilities will be addressed within 90 calendar days.

6.2. Where remediation within the above timeframes is not technically or operationally feasible, AtroCore will notify the Reporter of the delay, explain the reasons, and provide a revised target date.

6.3. In cases where a vulnerability has been confirmed as Critical and involves a risk to personal data, AtroCore will additionally follow the breach response procedures set out in the AtroCore Personal Data Breach Policy and, where required, notify the competent supervisory authority within 72 hours in accordance with GDPR Article 33.

7. Coordinated Disclosure

7.1. AtroCore follows a coordinated disclosure approach. This means that vulnerability details will not be published publicly until a remediation has been made available, or until an agreed disclosure timeline has elapsed.

7.2. AtroCore requests that Reporters refrain from publishing or sharing details of a reported vulnerability for a period of at least 90 calendar days from the date of initial report submission, to allow sufficient time for investigation and remediation.

7.3. Where AtroCore is unable to remediate a vulnerability within 90 days, the Company will engage with the Reporter in good faith to agree on an appropriate extended disclosure timeline.

7.4. AtroCore may, with the Reporter's consent, acknowledge the Reporter's contribution publicly following remediation of the reported vulnerability.

8. Out-of-Scope Issues

8.1. The following categories of issues are considered out of scope for this policy and will generally not be accepted as valid vulnerability reports:

  • Vulnerabilities in third-party software, libraries, or services not under AtroCore's control
  • Issues that require physical access to a device or system
  • Social engineering or phishing attacks targeting AtroCore personnel
  • Denial-of-service attacks or findings derived from such attacks
  • Theoretical vulnerabilities without a demonstrated or plausible exploitation path
  • Missing security headers or TLS configuration issues on non-sensitive endpoints where the risk is negligible
  • Reports generated by automated scanning tools without accompanying analysis or proof of exploitability
  • Issues relating to software versions that have reached end of life and are no longer supported by AtroCore

9. Policy Review

9.1. This policy will be reviewed at least annually, or following any significant security incident, material change to AtroCore's product or infrastructure landscape, or relevant changes to applicable EU or German law.

9.2. The Data Protection Officer is responsible for maintaining and updating this policy and must be consulted in any review that affects the processing of personal data.

For vulnerability reports and security enquiries, contact: