Coordinated Vulnerability Disclosure (CVD) guideline for security researchers

If you have found a technical vulnerability in one of Neurohr Bytes Software's systems (like the portal you are currently visiting), you can report this directly to our development team (see below).

If you found a vulnerability in an IT system or IT product that does not belong to Neurohr Bytes Software e.U., the vulnerability should first be reported to the owner of the system or the manufacturer.

We promise,

If you have provided personal data in the report, please note our data protection policy.

We expect from you:

Vulnerability reports via Signal (preferred method)

For the quickest response time, please contact +43-680-2311-673 via the Signal messenger.

Vulnerability reports via E-Mail

Researchers who use their own reporting format (e.g. via PDF or txt) can also send vulnerability reports and coordination requests directly to Neurohr Bytes Software e.U. at vulnerability@bytes.software.

A vulnerability report should contain the following information:

  1. The name of the manufacturer/product owner and whether contact was established with them.
  2. The name of the product and the tested version number.
  3. A simple description (if necessary screenshots or other illustrations for better comprehensibility) showing how the vulnerability was discovered (including any tools used).
  4. An assignment of the vulnerability to the OWASP Top 10 (preferably in the most current version) (see https://owasp.org/www-project-top-ten). If none of the vulnerability categories fit, this should be described in more detail as "Other"
  5. Must include proof-of-concept (PoC) code or instructions showing how the vulnerability can be exploited.
  6. An (informal) declaration of consent to include a name/alias in the recognition website (Hall of Fame) of Neurohr Bytes Software e.U. if desired
  7. A risk assessment, taking into account the technical conditions to determine the severity of the vulnerability (e.g. by using a CVSS value and the associated matrix -- preferably in the most current version).
  8. A description of the impact of the reported vulnerability or a threat model that describes a relevant attack scenario.