Vulnerability Disclosure Policy

The security of our systems and our customers’ data is a high priority for nueprice. If you discover a potential security vulnerability, please report it responsibly so that we can review your finding and take appropriate action.

Contact

Please send security reports to security@nueprice.com.

To help us review your report efficiently, please include the following information where possible:

  • a clear description of the vulnerability,
  • the affected domain, URL, API, feature, or component,
  • reproduction steps with minimal impact,
  • potential impact and your risk assessment,
  • relevant screenshots, logs, or proof-of-concept material,
  • your contact details for follow-up questions.

Please do not transmit sensitive customer data, personal data belonging to third parties, or large data sets. If you unintentionally encounter such data during your research, stop your investigation at that point and report the finding to us immediately.

Scope

This policy applies to publicly reachable systems, domains, and services operated by nueprice GmbH, in particular:

  • nueprice.com and its subdomains,
  • the nueprice website,
  • publicly reachable nueprice applications, interfaces, and APIs, where they are clearly attributable to nueprice.

The following are out of scope:

  • third-party systems, domains, and services, even if they are linked to or integrated with nueprice,
  • social engineering, phishing, spam, or deception of employees, customers, or partners,
  • physical attacks, access attempts, or attacks on office locations,
  • denial-of-service tests, load tests, or other tests that may affect availability, integrity, or confidentiality,
  • automated scans with high request rates,
  • exploiting a vulnerability beyond the minimum required proof,
  • accessing, modifying, exfiltrating, or deleting data that does not belong to you.

Expectations for Security Researchers

Please act in good faith at all times and keep the impact on our systems and users as low as possible. Use only test accounts or your own data, avoid operational disruption, and do not publicly disclose information about the vulnerability before we have completed our review and had a reasonable opportunity to remediate it.

Response Time

We usually acknowledge receipt of your report within 5 business days.

After acknowledgement, we will review your report and, where possible, provide an initial assessment within another 10 business days. For more complex cases, we will inform you about the next steps and provide status updates when there is relevant progress.

The actual remediation timeline depends on severity, reproducibility, and the scope of required measures.

Safe Harbor

If you comply with this policy, act in good faith, and report a vulnerability to us responsibly, nueprice will consider your security research authorized. In that case, we will not initiate or support legal action against you, provided that your actions are solely for the purpose of identifying, reporting, and responsibly disclosing the vulnerability.

This safe harbor does not apply to actions outside this policy, in particular extortion, misuse of data, intentional harm, disruption of operations, social engineering, physical attacks, or accessing data beyond what is strictly necessary to demonstrate the vulnerability.

If third parties assert legal claims related to your research, we cannot make binding statements on their behalf. Please take particular care not to infringe third-party rights or data.

Disclosure

Please do not disclose details of a reported vulnerability publicly without our explicit consent. We aim for cooperative and transparent resolution and will approve disclosure once the vulnerability has been fixed or appropriately mitigated.