Login

Responsible Disclosure

Guidelines for responsible disclosure

The safety of our systems and products is of great concern to us, and as such it represents a top priority.
Despite all the efforts we invest in our technologies, the system may still include vulnerabilities.
If you discover any weaknesses in the system, we would be pleased if you would notify us.

Rules of the game

Do not share information about any security issues with third parties until the problem is resolved.
Let us know how and when the vulnerability or error occurs. Please describe in detail how this problem can be reproduced and provide information on the procedure used and the time when you encountered the problem. 

Treat your knowledge of the safety issue in question responsibly. Do not take any action beyond what is absolutely necessary in order to flag up the security issue.

Do not exploit the vulnerability maliciously or store any confidential data obtained due to the vulnerability in the system. 


If needed, leave your contact details (e-mail address or phone number) so that we can contact you for assessment and progress in eliminating the vulnerability. We also take anonymous reports seriously. 

Our Responsible Disclosure Policy does not constitute an invitation to actively scan our corporate network extensively for vulnerabilities.

We monitor our own networks.  
If the problem is to be publicised at all, this may only take place in consultation with the group of companies.

Outside the scope of the guideline

The vulnerabilities listed below do not need to be filed under the Responsible Disclosure Policy.
Security vulnerabilities outside the scope of this guideline include:

  • Physical attacks against data centres or any property of the group of companies 
  • Social engineering attacks targeting employees or customers (e.g. fake login pages, customer service, social media) 
  • Distribution of spam e-mails
  • Denial of Service attacks
  • Missing HTTP security headers without specific effects 
  • Errors that can only be exploited through clickjacking
  • Self-XSS 
  • Vulnerabilities that require unlikely user interactions (e.g. disabling browser protections). 
  • Disclosure of information marked as public 
  • Attacks that require a man-in-the-middle 

What you can expect from us

If you choose to share your contact information with us, we’re committed to sharing this information with you as openly and as quickly as possible. 

We guarantee a response within five working days. 

We aim to keep you informed of progress in resolving the issue in the meantime. 

We will treat your report in strict confidence and will not share your personal information with any third party without your consent, unless required to do so by law or court order. We will decide together with you whether and how to announce the reported problem.  

Disclosure of security vulnerabilities

To disclose a potential security vulnerability, please send the information to the following address:

disclosure@cal.at

We thank you for your support in protecting our services and data in the best possible way.