Security

Information on reporting vulnerabilities and our responsible disclosure process

Protecting our users' data is our highest priority. We welcome reports about security vulnerabilities in our systems so we can address them quickly.

Thank You for Your Support
Security researchers make an important contribution to protecting our systems and users. We take every report seriously.

Scope

This policy applies to the following services. Please note that some services may only be tested with restrictions or exclusively in test environments:

Public Services

S3 Note
For s3.nrw, this policy applies to the eu-central-1 zone. Buckets in German zones (de-*) may be tested if they belong to the listed web applications.

Test Environments

SaaS
Software-as-a-Service test environments
IaaS
Infrastructure-as-a-Service test environments
PaaS
Platform-as-a-Service test environments
Limited Availability
SaaS, IaaS and PaaS test environments are not publicly accessible. Availability for security assessments is provided selectively upon request. Please contact us before starting your investigation.

Production systems that are not explicitly listed, as well as third-party infrastructure, may not be tested without express permission. If in doubt, please contact us before starting your investigation.

Report a Vulnerability

Please send vulnerability reports to:

Security Team

Email:
PGP:

Information to Include

Your report should include the following information to help us analyze the vulnerability quickly:

Affected URL
Exact URL or affected service
Description
Brief description of the vulnerability
Reproduction
Step-by-step instructions to reproduce
Technical Details
Browser, requests, screenshots, PoC
Impact
Potential impact of the vulnerability
CVSS
Severity rating (optional)

Our Process

We typically acknowledge receipt of reports within 3 business days and will keep you informed about next steps. Our security contact information is also available at /.well-known/security.txt.

After receiving your report, we go through the following phases:

Triage

We evaluate the severity and impact of the reported vulnerability.

Remediation

Our team develops and implements a fix.

Retest

We verify the successful remediation.

Completion

We inform you about the result.

Privacy Notice
Personal data in your report is processed in accordance with GDPR. Details can be found in our Privacy Policy. Only submit data that is necessary for the security analysis.

Rules of Engagement

To protect all parties involved, we ask you to follow these guidelines:

Protect Data
Do not perform any actions that could lead to data loss or corruption.
No Data Access
Do not actively access third-party data and do not exfiltrate personal data.
No Attacks
Refrain from social engineering, phishing, or physical attacks.
Stay Measured
Do not exploit found vulnerabilities beyond what is strictly necessary for proof.
No Service Disruption
Do not perform denial-of-service tests or resource-intensive tests.
No AI Compromise
Do not attempt to manipulate or compromise AI agents.
Responsible Disclosure (90 Days)
Please give us at least 90 days to analyze and fix the reported vulnerability before publishing any information about it.

Our Promise (Safe Harbor)

If you report a vulnerability in accordance with this policy and in good faith:

No Legal Action
We will not pursue civil or criminal legal action against you.
Confidentiality
We will treat your report confidentially and will not share personal data without your consent.
Transparency
We will endeavor to keep you informed about the status (confirmation, assessment, fix).
Recognition
Please note that this policy does not create an entitlement to compensation. We reserve the right to recognize particularly helpful reports at our discretion (e.g., through acknowledgment or a small token of appreciation).

Bug Bounty Program

No Public Bug Bounty Program
We currently do not operate a public bug bounty program with fixed bounties. If this changes in the future, we will publish information about scope and participation terms on this page.

Last updated: March 2026

Company details

Company details and legal information for Arca Resort eG