ClientsLeadershipOperating ModelBackstoryIntelligenceEvents
Send Private InquiryReview
Menu
HomeClientsLeadershipOperating ModelBackstoryIntelligenceEventsSend Private Inquiry

LEGAL & SECURITY / RESPONSIBLE DISCLOSURE

PUBLIC RECORD / EN

Report a vulnerability without increasing the risk.

Svperior welcomes good-faith reports concerning public systems it controls. This policy defines the authorization boundary, the conduct required to remain within it, and the route for coordinated resolution.

Effective 13 July 2026

inquire@svperior.com ↗
Report channel
inquire@svperior.com with the subject line Responsible Disclosure.
Initial message
Describe the affected asset and risk at a high level. Ask for a secure route before sending exploit code, personal data, credentials, or sensitive evidence.
Bounty position
No bug bounty, payment, gift, employment, or public credit is offered unless Svperior agrees it in writing before the relevant commitment is made.
Client systems
Never in scope under this policy, even where Svperior designed, advises on, monitors, or supports them.

On this page

  1. 01Authorized scope
  2. 02Always outside scope
  3. 03Rules for good-faith research
  4. 04What to include in a report
  5. 05Response and coordination
  6. 06Good-faith safe harbour
  7. 07Reporter data, evidence, and confidentiality
  8. 08Recognition and reward
  9. 09Unresolved reports

01

Authorized scope

This policy authorizes limited, good-faith security research only against the public website and other internet-facing services that are clearly identified as operated and controlled by Svperior. If ownership is uncertain, stop and ask before testing.

Authorization is limited to the minimum non-destructive activity needed to identify and demonstrate a plausible vulnerability in accordance with every condition below. It does not grant access to non-public systems, accounts, source code, facilities, data, or networks and does not create an agency, employment, supplier, or contractual relationship.

02

Always outside scope

  • Any client, prospect, attendee, partner, supplier, adviser, employee, or other third-party system, account, device, network, premises, person, or data—even if connected to a Svperior mandate or event.
  • Social engineering, phishing, vishing, impersonation, pretexting, physical access, surveillance of people, bribery, coercion, or attempts to obtain credentials or confidential information from a person.
  • Denial of service, load or stress testing, destructive testing, malware, ransomware, persistence, bot activity, spam, credential stuffing, password spraying, brute force, or activity likely to impair availability or generate material cost.
  • Accessing, downloading, changing, deleting, encrypting, moving, publishing, or retaining personal, confidential, privileged, client, source, or production data beyond the absolute minimum accidental view necessary to establish that exposure exists.
  • Privilege escalation, lateral movement, pivoting, supply-chain compromise, changing permissions, creating accounts, installing software, bypassing billing, evading monitoring, or remaining in a system after the initial issue is established.
  • Testing that violates applicable law, a third party’s rights or terms, export or sanctions restrictions, or an instruction from Svperior to stop.

03

Rules for good-faith research

  • Use accounts and data you own or are expressly authorized to use. Do not test another person’s account or infer whether a named individual is a user.
  • Make the fewest requests and take the least intrusive action needed to validate the issue. Do not repeatedly interact with the affected condition after obtaining a sufficient proof of concept.
  • Stop immediately if you encounter personal data, client information, credentials, private keys, privileged content, or evidence of an active incident. Do not copy or retain it; report that it was encountered and request instructions.
  • Preserve the confidentiality of the vulnerability and report it directly to Svperior. Do not disclose it publicly or to another party until Svperior confirms remediation or a disclosure plan is agreed.
  • Do not demand payment, threaten disclosure, condition deletion of data, or use the vulnerability or report to obtain leverage.
  • Comply promptly with a request to stop, provide clarification, delete retained test material, or move communication to a controlled channel.

04

What to include in a report

The first email should contain enough information to route and assess the report without creating a new exposure. Svperior will arrange a more appropriate transfer method if sensitive supporting material is genuinely required.

  • The affected hostname, URL, service, feature, or version and the date and time of observation, including time zone.
  • A concise description of the vulnerability, the security property affected, realistic impact, and the assumptions required for exploitation.
  • Minimal, reproducible steps using sanitized values and an account or data you control.
  • Relevant request and response details, screenshots, logs, or proof-of-concept material with credentials, tokens, personal data, and unrelated content removed.
  • Whether any non-public data was encountered, what minimum action occurred before stopping, and whether any copy remains.
  • Your preferred contact details, public key if secure communication is needed, and whether you request attribution after coordinated disclosure.

05

Response and coordination

Acknowledgement
Svperior aims to acknowledge a sufficiently clear report within five business days. Automated, abusive, duplicative, out-of-scope, or unintelligible submissions may receive no response.
Triage
Svperior aims to provide an initial assessment or request for additional information within ten business days after acknowledgement. Complex, third-party, client-sensitive, or active-incident issues may require a different process.
Remediation
Priority and timing depend on exploitability, consequence, affected users, architectural change, third-party dependence, testing requirements, and disclosure risk. This policy does not promise a fix, service level, or publication date.
Disclosure
Public disclosure, attribution, CVE handling, and timing require written coordination. Svperior may withhold operational or client-sensitive details and may involve an affected supplier, insurer, adviser, authority, or the Swiss National Cyber Security Centre where appropriate.

06

Good-faith safe harbour

Where a researcher complies with this policy, acts in good faith, remains within the authorized scope, stops when required, avoids harm, and reports promptly, Svperior will not initiate legal action against that researcher solely for the authorized research or report and will not ask law enforcement to investigate that authorized conduct.

This statement does not bind a client, supplier, platform owner, prosecutor, regulator, law-enforcement body, or other third party; does not authorize conduct outside systems Svperior controls; does not waive rights arising from negligence, misconduct, extortion, data misuse, privacy invasion, intellectual-property infringement, contractual breach, or activity outside this policy; and is not an indemnity or immunity from applicable law.

If there is uncertainty about whether an action is permitted, stop and ask. Svperior may provide written clarification or additional authorization for a specific test. Silence is not authorization.

07

Reporter data, evidence, and confidentiality

Svperior uses reporter contact details, technical evidence, network identifiers, correspondence, and remediation records to validate, investigate, coordinate, preserve evidence, prevent recurrence, and meet legal or security obligations. Reports may be shared on a need-to-know basis with affected providers, professional advisers, insurers, authorities, or other responsible parties where necessary and lawful.

Security-report records are ordinarily retained for up to 24 months after closure and may be kept longer where an incident, recurring vulnerability, legal hold, claim, or regulatory duty requires it. Reporter rights and international-transfer information are described in the Client Privacy Notice.

08

Recognition and reward

This is a coordinated disclosure channel, not a bug-bounty programme. Submission does not create an entitlement to payment, reimbursement, a gift, employment, a contract, public recognition, or permission to use Svperior’s name or marks. Svperior may choose to provide credit only with the researcher’s agreement and after the disclosure position is resolved.

09

Unresolved reports

If a credible report affecting Switzerland cannot be routed to the responsible owner or receives no adequate response, a researcher may consider the Swiss National Cyber Security Centre’s coordinated vulnerability disclosure channel. The researcher remains responsible for following the NCSC framework and for preserving confidentiality while coordination continues.

Operating statements

The complete public boundary.

Security Posture

The public control boundary and operating approach this reporting process is intended to protect.

Read statement →
Client Privacy

How reporter identity, technical evidence, correspondence, and security records are handled.

Read statement →
Legal & Security

The general website conditions and the relationship between this limited authorization and other use restrictions.

Read statement →

Authority references

Official routes.

Swiss NCSC coordinated disclosure

The official Swiss route for vulnerability coordination where the responsible owner cannot be reached or does not respond adequately.

External reference ↗

Svperior GmbH. There's no room for second place.

Backstory · Leadership · Events · Legal & security · Client privacy · Inquire ·