1. Homepage
  2. Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

of
DSMK • Digital Solutions Marco Kriegner
Dr.-Scheiber-Strasse 51, 4870 Vöcklamarkt, Austria

Please note the original document was written in German. You are reading an automated translation, which has been proofread by a human but cannot be considered binding. Only the German document which is available in the German-language section of this website, is binding.


Purpose and Objective

The protection of the confidentiality, integrity, and availability of the information-processing systems operated by DSMK constitutes a fundamental corporate objective.
This Vulnerability Disclosure Policy, hereinafter referred to as the "VDP", defines the conditions under which security vulnerabilities in DSMK’s IT systems may be reported. It primarily serves to ensure the structured receipt of security-related notifications and the fulfillment of legal and regulatory requirements in the field of information security.


Scope

This Policy applies to all IT systems, applications, and digital services operated or technically managed by DSMK, including Software-as-a-Service (SaaS) offerings, and in particular:

  • Websites and web applications
  • Application programming interfaces (APIs)
  • Platforms, servers, backend systems, administrative interfaces, and cloud systems, insofar as these are administered by DSMK


The following are explicitly excluded from the scope of this Policy:

  • Systems or services of third parties over which DSMK does not have direct administrative control
  • Social engineering attacks (e.g., phishing, pretexting)
  • Denial-of-service attacks (DoS/DDoS)
  • Physical attacks against infrastructure, premises, or individuals
  • Vulnerabilities in external services, libraries, or infrastructures that are used or integrated by DSMK but are not operated or administered by DSMK

Permissible Activities in the Context of Security Testing

Reports of security vulnerabilities may only be made in compliance with the following principles:

  • No impairment of the availability of systems or services
  • No unauthorized access to personal data or other confidential information
  • No modification, deletion, or manipulation of data
  • No automated or large-scale testing activities
  • No disclosure or publication of findings without prior consent

Any actions exceeding those strictly necessary to identify the security vulnerability are prohibited.

Reporting of Security Vulnerabilities

Security-related notifications must be submitted without undue delay and exclusively via the following communication channel:
eMail: security@dsmk.at

Where possible, the report should include the following information:

  • Description of the identified vulnerability
  • Affected systems, URLs, or components
  • Reproducibility and/or technical details
  • Assessment of the potential risk

The provision of personal data is neither required nor desired, unless strictly necessary.

Handling of Reports

Upon receipt of a report, DSMK will review and internally assess the information provided. There is no entitlement to feedback, status updates, or disclosure of measures taken. Remediation or risk mitigation shall be carried out in accordance with internal prioritization and technical feasibility.


No Compensation

DSMK does not operate a bug bounty program. There is no entitlement to remuneration, reimbursement of expenses, or any other form of compensation for the reporting of security vulnerabilities, regardless of the nature, scope, or severity of the reported issue.


Confidentiality and Disclosure

Reported security vulnerabilities must be treated as confidential. Any publication, disclosure to third parties, or other form of dissemination is prohibited without the prior written consent of DSMK.


Liability and Legal Notice

Provided that a reporting party:

  • acts exclusively within the scope of this Policy,
  • does not engage in intentional or grossly negligent conduct,
  • does not exfiltrate, modify, or publish data, and
  • does not cause any disruption to ongoing operations,
DSMK will not use the report as a basis for initiating civil or criminal proceedings. This assurance applies exclusively within the limits of mandatory Austrian and European law.

Data Protection

Personal data processed in connection with security reports shall be processed solely for the purpose of handling the report pursuant to Article 6(1)(f) GDPR (legitimate interest). Further information can be found in our Privacy Policy.


Amendments

DSMK reserves the right to amend or replace this Vulnerability Disclosure Policy at any time. The version published on the website at the relevant time shall apply.


Contact

For questions regarding this Policy or other matters, please refer to the contact details provided in our Legal Note.



Date of Version: January 17, 2026