Security Policy
The security of our connected products and the protection of our customers’ data are our highest priorities. Despite careful development practices and continuous testing, security vulnerabilities can never be completely eliminated. If you discover a vulnerability in one of our products, systems, or services, we appreciate your support in reporting it to us confidentially and through a coordinated disclosure process.
Reporting a Vulnerability
Reports must be submitted directly to our security team. Reporting process:
+ Email: security@multi-cash.at
+ Encryption: To protect sensitive information, reports must be encrypted using our public PGP key. The public key is available in our Legal Notice (Imprint).
+ Report contents: To enable us to investigate and remediate the issue efficiently, please include a clear description of the vulnerability; the affected product(s), software version(s), or system(s); step-by-step instructions to reproduce the issue, including a Proof of Concept (PoC), where applicable.
Our Commitment to Security Researchers
If you act in accordance with this policy, Multi Cash Automation commits to the following:
+ We will not initiate or support civil or criminal legal action against you for your vulnerability research and disclosure.
+ Upon request, we will treat your identity as strictly confidential.
+ We will work with you in a transparent and cooperative manner to investigate and resolve the reported issue.
Scope of Valid Vulnerability Reports
A vulnerability report will be considered valid if it meets all of the following criteria:
+ The reported vulnerability affects at least one Multi Cash Automation product, service, or our supporting infrastructure.
+ The vulnerability has not been publicly disclosed at the time of reporting.
+ Reports must not consist solely of the output of automated vulnerability scanners or security tools without sufficient supporting analysis or documentation. Reports that appear to have been generated automatically without meaningful validation may not receive a response.
Guidelines for Security Researchers
We ask all security researchers to act responsibly while conducting security testing.
+ Do no harm: Do not perform activities that could disrupt the availability or operation of our products, devices, systems, or services (e.g., Denial-of-Service (DoS) attacks).
+ Respect privacy: Do not access, modify, or disclose data belonging to customers, partners, or other third parties. If you inadvertently encounter personal or confidential data during your research, stop your investigation immediately and securely delete any copies of such data.
+ No extortion: We will not respond to reports accompanied by ransom demands, threats, or deadlines for public disclosure.
+ Coordinated disclosure: Do not publicly disclose details of the vulnerability until we have had a reasonable opportunity to investigate the issue and provide an appropriate security update or mitigation to our customers.
Vulnerability Handling Process
We take every vulnerability report seriously and aim to respond according to the following timeline:
+ Acknowledgement (within 72 hours): We will acknowledge receipt of your report as quickly as possible and, in any case, within 72 hours.
+ Validation (within 10 days): Our technical team will assess the reported vulnerability and provide an initial response regarding its validity and severity within 10 days.
+ Remediation: We will work diligently to develop and deploy an appropriate security fix. The time required depends on the complexity and impact of the issue. Once we consider the remediation process complete, we will inform the reporting party accordingly.