Kontakt
Mein Sortiment
de | fr
Brack Logo
0
fixed-icons/menu/compare-reduced
Vergleich
0
fixed-icons/menu/watch-list-reduced
Merklisten
icon/account-logged-inMein Konto
icon/userAnmelden
0
fixed-icons/menu/cart-reduced
CHF0.00
ph-2026-responsible-vulnerability-disclosure-program.jpg

Responsible Vulnerability Disclosure Program

Introduction

The security of our systems and services as well as our customer's data is of great importance to us. As part of our efforts to continously improve and ensure the security of our systems, we invite security researchers and ethical hackers to responsibly disclose potential security vulnerabilities through our Vulnerability Disclosure Program (VDP), which we elaborate on through this page.


Rules of Engagement

  • Notify us as soon as you discover a real or potential security issue.
  • If you confirm a vulnerability or encounter sensitive data (including personal data, financial information, or proprietary material), stop testing immediately and notify us.
  • Do not disclose information from your report or acknowledge the existence of a reported vulnerability to third parties, unless you were explicitly granted permission from us.
  • Use exploits only to the extent required to confirm a vulnerability exists. Do not use an exploit to compromise or exfiltrate data, to establish persistent access, or to take over other systems.
  • Do not create privacy violations, degrade the user experience, disrupt production systems, or delete/alter data.
  • Prioritise quality over quantity: submit applicable, detailed, and reproducible findings.

Scope

All publicly accessible IT systems and services that are owned and operated by Brack.Alltron AG are in scope:

Websites:

*.brack.ch

*.alltron.ch

*.daydeal.ch

*.jamei.ch

*.furber.ch

*.furberproducts.ch

*.koorproducts.ch

*.coconproducts.ch

*.onitproducts.ch

*.structproducts.ch

*.krafterproducts.ch

*.competec.ch

*.brackalltron.ch

Subdomains Out of Scope:

i.brack.ch

h.brack.ch


Apps:


Relevant Vulnerabilities covered by the Program

The program primarily has the following types of vulnerabilities in scope. Generally speaking, we are interested in learning about flaws in design or implementation that could significantly impact confidentiality, integrity or availability of our systems.

  • Flaws in authentication or authorization
  • Rate-limit / brute-force bypasses
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • Server-Side Template Injection (SSTI)
  • SQL Injection (SQLi)
  • XML External Entity (XXE)
  • Remote Code Execution (RCE)
  • Local / Remote File Inclusion (LFI / RFI)
  • Insecure default configs / misconfigurations
  • Business-logic vulnerabilities
  • API-specific issues
  • Abuse of Chatbot

Out of Scope Vulnerabilities

The following are not eligible for this program unless accompanied by a clear, functional proof of concept demonstrating real exploitability:

  • Security concerns or best practices that lack exploitable impact
  • Social engineering attempts
  • Any kind of physical access vulnerabilities to our facilities and buildings
  • Denial of Service attack
  • Email Spoofing
  • Reports that a library contains known vulnerabilities, unless you can show exploitation beyond the known issue
  • Insecure SSL/TLS cipher suites or weak signature algorithms — accepted only with a working proof of concept showing how they can be exploited
  • Missing HTTP security headers — accepted only with a comprehensive proof of concept that demonstrates exploitability

Safe Harbor

If you follow this policy, your testing will be treated as authorized and we will not pursue legal action.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us before going any further.


What you can expect from us

  • This is not a bug bounty program; there is no guaranteed monetary reward. We will, however, express our appreciation based on the severity of the finding.
  • A timely response within 15 (business) days
  • The possibility to discuss/present findings through a video call or even in person if beneficial

Reporting

Send an e-mail to: it-security@brackalltron[.]ch

Report Language

English or German

Report Template

# Description

add details about this vulnerability

#Severity

your assessment of the criticality of the vulnerability

# Proof of Concept

screenshots / code

# Steps for Reproduction

Add a step-by-step instruction for us to reproduce your findings

#Time of Discovery and Testing:

When did you discover this flaw and when did you verify it (if at all)

# Supporting materials/evidence:

add screenshots, logs, etc.