01
Authorized scope
This policy authorizes limited, good-faith security research only against the public website and other internet-facing services that are clearly identified as operated and controlled by Svperior. If ownership is uncertain, stop and ask before testing.
Authorization is limited to the minimum non-destructive activity needed to identify and demonstrate a plausible vulnerability in accordance with every condition below. It does not grant access to non-public systems, accounts, source code, facilities, data, or networks and does not create an agency, employment, supplier, or contractual relationship.
02
Always outside scope
- Any client, prospect, attendee, partner, supplier, adviser, employee, or other third-party system, account, device, network, premises, person, or data—even if connected to a Svperior mandate or event.
- Social engineering, phishing, vishing, impersonation, pretexting, physical access, surveillance of people, bribery, coercion, or attempts to obtain credentials or confidential information from a person.
- Denial of service, load or stress testing, destructive testing, malware, ransomware, persistence, bot activity, spam, credential stuffing, password spraying, brute force, or activity likely to impair availability or generate material cost.
- Accessing, downloading, changing, deleting, encrypting, moving, publishing, or retaining personal, confidential, privileged, client, source, or production data beyond the absolute minimum accidental view necessary to establish that exposure exists.
- Privilege escalation, lateral movement, pivoting, supply-chain compromise, changing permissions, creating accounts, installing software, bypassing billing, evading monitoring, or remaining in a system after the initial issue is established.
- Testing that violates applicable law, a third party’s rights or terms, export or sanctions restrictions, or an instruction from Svperior to stop.
03
Rules for good-faith research
- Use accounts and data you own or are expressly authorized to use. Do not test another person’s account or infer whether a named individual is a user.
- Make the fewest requests and take the least intrusive action needed to validate the issue. Do not repeatedly interact with the affected condition after obtaining a sufficient proof of concept.
- Stop immediately if you encounter personal data, client information, credentials, private keys, privileged content, or evidence of an active incident. Do not copy or retain it; report that it was encountered and request instructions.
- Preserve the confidentiality of the vulnerability and report it directly to Svperior. Do not disclose it publicly or to another party until Svperior confirms remediation or a disclosure plan is agreed.
- Do not demand payment, threaten disclosure, condition deletion of data, or use the vulnerability or report to obtain leverage.
- Comply promptly with a request to stop, provide clarification, delete retained test material, or move communication to a controlled channel.
04
What to include in a report
The first email should contain enough information to route and assess the report without creating a new exposure. Svperior will arrange a more appropriate transfer method if sensitive supporting material is genuinely required.
- The affected hostname, URL, service, feature, or version and the date and time of observation, including time zone.
- A concise description of the vulnerability, the security property affected, realistic impact, and the assumptions required for exploitation.
- Minimal, reproducible steps using sanitized values and an account or data you control.
- Relevant request and response details, screenshots, logs, or proof-of-concept material with credentials, tokens, personal data, and unrelated content removed.
- Whether any non-public data was encountered, what minimum action occurred before stopping, and whether any copy remains.
- Your preferred contact details, public key if secure communication is needed, and whether you request attribution after coordinated disclosure.
05
Response and coordination
- Acknowledgement
- Svperior aims to acknowledge a sufficiently clear report within five business days. Automated, abusive, duplicative, out-of-scope, or unintelligible submissions may receive no response.
- Triage
- Svperior aims to provide an initial assessment or request for additional information within ten business days after acknowledgement. Complex, third-party, client-sensitive, or active-incident issues may require a different process.
- Remediation
- Priority and timing depend on exploitability, consequence, affected users, architectural change, third-party dependence, testing requirements, and disclosure risk. This policy does not promise a fix, service level, or publication date.
- Disclosure
- Public disclosure, attribution, CVE handling, and timing require written coordination. Svperior may withhold operational or client-sensitive details and may involve an affected supplier, insurer, adviser, authority, or the Swiss National Cyber Security Centre where appropriate.
06
Good-faith safe harbour
Where a researcher complies with this policy, acts in good faith, remains within the authorized scope, stops when required, avoids harm, and reports promptly, Svperior will not initiate legal action against that researcher solely for the authorized research or report and will not ask law enforcement to investigate that authorized conduct.
This statement does not bind a client, supplier, platform owner, prosecutor, regulator, law-enforcement body, or other third party; does not authorize conduct outside systems Svperior controls; does not waive rights arising from negligence, misconduct, extortion, data misuse, privacy invasion, intellectual-property infringement, contractual breach, or activity outside this policy; and is not an indemnity or immunity from applicable law.
If there is uncertainty about whether an action is permitted, stop and ask. Svperior may provide written clarification or additional authorization for a specific test. Silence is not authorization.
07
Reporter data, evidence, and confidentiality
Svperior uses reporter contact details, technical evidence, network identifiers, correspondence, and remediation records to validate, investigate, coordinate, preserve evidence, prevent recurrence, and meet legal or security obligations. Reports may be shared on a need-to-know basis with affected providers, professional advisers, insurers, authorities, or other responsible parties where necessary and lawful.
Security-report records are ordinarily retained for up to 24 months after closure and may be kept longer where an incident, recurring vulnerability, legal hold, claim, or regulatory duty requires it. Reporter rights and international-transfer information are described in the Client Privacy Notice.
08
Recognition and reward
This is a coordinated disclosure channel, not a bug-bounty programme. Submission does not create an entitlement to payment, reimbursement, a gift, employment, a contract, public recognition, or permission to use Svperior’s name or marks. Svperior may choose to provide credit only with the researcher’s agreement and after the disclosure position is resolved.
09
Unresolved reports
If a credible report affecting Switzerland cannot be routed to the responsible owner or receives no adequate response, a researcher may consider the Swiss National Cyber Security Centre’s coordinated vulnerability disclosure channel. The researcher remains responsible for following the NCSC framework and for preserving confidentiality while coordination continues.
