Vulnerability Disclosure Program


At Digitec Galaxus AG, we're dedicated to providing a safe and secure online environment for our valued customers. We are completely dedicated to maintaining top-notch security standards and safeguarding user privacy. As part of our ongoing efforts to fortify our systems and services, we invite the collaboration of external security researchers and ethical hackers through our Vulnerability Disclosure Program (VDP).


  • Notify us as soon as possible after you discover a real or potential security issue.

  • Avoid creating any privacy violations, degradation of the user experience, disruption to production systems, and the destruction and manipulation of data.

  • Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.

  • You are prohibited from revealing any information from the report or even acknowledging the existence of a reported vulnerability to any third party.

  • Prioritise quality over quantity. Ensure that your vulnerability reports are well-researched, detailed, and reproducible.

Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.


All public accessible IT systems owned by Digitec Galaxus AG are in scope.



Public Repositories:


The vulnerabilities outlined below qualify for our security program. Any design or implementation problem significantly impacting the confidentiality or integrity of user data is covered by the program.

  • XSS (Cross-Site Scripting)

  • CSRF (Cross-Site Request Forgery)

  • SSRF (Server-Side Request Forgery)

  • SSTI (Server-Side Template Injection)

  • SQL Injection

  • XXE (XML External Entity)

  • RCE (Remote Code Execution)

  • LFI/RFI (Local/Remote File Inclusions)

  • Flaws in Authentication or Authorisation processes

Out of scope vulnerabilities

  • Security concerns or best practices that generally lack immediate exploitable impact

  • Social engineering

  • All kind of physical access vulnerabilities

  • Denial of Service attack

  • Email Spoofing

  • Lack of jailbreak detection, binary protection, certificate pinning, obfuscation

  • Reports regarding absent HTTP security headers will be considered only if substantiated by a comprehensive proof of concept demonstrating how their absence could be exploited.

  • The usage of a library containing known vulnerabilities, unless there is proof indicating subsequent exploitation beyond the known vulnerabilities.

  • Reports concerning insecure SSL/TLS ciphers or weak signature algorithms will be evaluated only if supported by a functional proof of concept illustrating their potential for exploitation

Safe Harbor

As long as you follow this policy, your actions will be viewed as authorised, and we won't take legal action against you. If someone else tries to take legal action against you for what you did while following this policy, we'll help show that you were following our rules.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us before going any further.

What you can expect from us

  • This is no bug bounty program, so you can’t expect a reward. But we will show our gratitude based on the criticality of your finding.

  • A timely response within 5 (business) days

  • Coffee / beer at our office in Zurich if you want to discuss your findings

  • A badge for your community profile in our shop if you find something critical


Send an e-mail to:

Report Language
English or German

Report Template

# Description
add details about this vulnerability

# Proof of Concept
screenshots / code

# Steps for Reproduction
add step-by-step guide

# Supporting materials:
add screenshots, logs, etc.