Vulnerability Disclosure Program

Last updated: 24 May 2026

The security of Productlane and the customer data we process is a core responsibility. We welcome reports from security researchers, customers, and members of the public who identify potential vulnerabilities in our services. This page describes how to submit a report, what we cover, what we ask of you, and what you can expect from us in return.

1. How to report

Send vulnerability reports to [email protected]. Please include enough detail for us to reproduce and assess the issue:

  • A description of the vulnerability and its potential impact.
  • The affected endpoint, URL, parameter, account role, or component.
  • Reproduction steps, request and response samples, or a proof-of-concept where applicable.
  • Any tooling, screenshots, or video recordings that help us confirm the issue.
  • The accounts or test data you used. If you created test accounts, share the email addresses so we can correlate logs.
  • Your name or handle, if you would like to be credited.

Reports may be submitted in English or German. We accept reports anonymously, though leaving a contact method makes it easier to follow up and credit you.

2. Scope

The following systems are in scope:

  • productlane.com and its subdomains operated by Productlane GmbH.
  • The Productlane web application, the customer portal, the help center, and the embeddable feedback widget.
  • The public API at /api/v1 and /api/v2, including webhook delivery.
  • Authentication flows, including OAuth integrations and SSO.
  • Mobile and desktop applications published by Productlane.

The following are out of scope:

  • Third-party services we use as sub-processors (Vercel, AWS, Cloudflare, Postmark, Stripe, etc.). Report directly to the vendor; copy us if Productlane data is affected.
  • Customer-controlled custom domains, white-label widgets, and help centers hosted on customer-owned infrastructure.
  • Marketing pages served from static hosts, except for issues that compromise the rest of the platform (stored XSS that leaks session data, subdomain takeover, etc.).
  • Social engineering attacks against employees, contractors, or customers.
  • Physical attacks against Productlane offices, infrastructure, or staff.

3. Rules of engagement

Research is welcome on the systems listed above, subject to the following conditions:

  • Use only accounts you own or have explicit permission to test. Do not attempt to access data belonging to other customers.
  • Stop testing as soon as you have a working proof of concept. Do not download, modify, or retain customer data beyond what is necessary to demonstrate the issue.
  • Avoid techniques that degrade service quality for customers, including high-volume scanning, denial-of-service testing, brute-force attacks, and password spraying.
  • Do not pivot, escalate privileges, or move laterally within our infrastructure beyond what is necessary to confirm the finding.
  • Hold the report confidential until we have had a reasonable opportunity to remediate, as described in Section 5.
  • Comply with all applicable laws, including the GDPR and the German Computer Fraud Act (§ 202a-202c StGB).

4. Safe harbor

We will treat security research conducted in good faith and in accordance with this program as authorized activity. If you follow the rules in Section 3, Productlane commits to the following:

  • We will not pursue or support civil action or criminal complaints against you for accessing or interacting with Productlane systems as part of the research.
  • We will work with you in good faith to resolve any concerns if your activity unintentionally exceeds the scope or rules above.
  • We will recognize good-faith research as authorized under § 202a-202c StGB and analogous laws in other jurisdictions, to the extent permitted by law.

Safe harbor extends only to claims that Productlane GmbH itself can bring. We cannot waive claims by third parties, customers, or law enforcement.

5. What to expect from us

After you submit a report, we commit to the following:

  • Acknowledge receipt within 2 business days (Munich time, CET / CEST).
  • Provide an initial assessment, including severity rating and expected next steps, within 5 business days.
  • Keep you informed of remediation progress at reasonable intervals until the issue is resolved or closed.
  • Notify you when a fix has been deployed and confirm whether the issue is resolved.
  • Credit you publicly in our security acknowledgements page, if you opt in.

Target remediation windows by severity, measured from the date of confirmed triage:

  • Critical: 7 days.
  • High: 30 days.
  • Medium: 90 days.
  • Low: 180 days.

Severity is assigned using CVSS 3.1 together with the business-impact context of the affected system. We will explain our reasoning when we share the assessment.

6. Coordinated disclosure

We follow a coordinated disclosure model. You are welcome to publish details of a confirmed vulnerability 90 days after the initial report, or sooner with our written consent. If remediation takes longer than 90 days, we will work with you to agree on an extended timeline that balances customer protection with public interest.

For severe issues that affect customers, we will publish a post-incident summary on our blog and notify affected workspaces directly. We will reference your work, with your permission.

7. Recognition

Productlane does not run a paid bug bounty at this time. Valid reports that lead to a fix are acknowledged in two ways:

  • Public credit on our security acknowledgements page, with your chosen name, handle, and link.
  • Productlane swag and, for higher-severity findings, a thank-you gift at our discretion.

We review our recognition policy regularly and will update this page if we launch a monetary bounty program.

8. Out-of-scope findings

The following report categories are typically considered informational rather than vulnerabilities, and may be closed without remediation:

  • Missing security headers without a demonstrated impact (CSP, HSTS, X-Frame-Options, Referrer-Policy).
  • Lack of rate limiting on endpoints where rate limiting is not a security control (login throttling is in scope).
  • Self-XSS, clickjacking on pages without sensitive actions, and tabnabbing.
  • Email spoofing concerns covered by SPF, DKIM, and DMARC when our policies are correctly configured.
  • Username, email, or workspace existence disclosure on authentication flows.
  • Reports generated by automated scanners without a working proof of concept.
  • Outdated software versions or library reports without a demonstrated exploit affecting Productlane.
  • CSRF on logout, language toggles, or other endpoints without a security impact.
  • Open redirects on URLs that do not carry authentication or session tokens.
  • SSL / TLS configuration issues outside the scope of relevant industry baselines (Mozilla intermediate).

If you believe an out-of-scope finding has a meaningful real-world impact on Productlane customers, include the impact analysis in your report and we will assess it on its merits.

9. Contact and PGP

Reports, questions about scope, and requests for clarification go to [email protected]. Mail to this address is monitored on business days during Munich working hours, with on-call coverage outside those hours for confirmed critical reports.

If you would like to encrypt your report, request our current PGP public key by sending a plaintext request to the same address and we will reply with the key and fingerprint within one business day.

10. Changes to this program

We may update this page from time to time as our services evolve. Material changes (scope, response commitments, safe harbor) will be reflected in the "Last updated" date at the top of this page. Reports submitted before a change will be handled under the terms in effect on the submission date.