SKIKK Responsible Disclosure Program
Overview
At SKIKK, the security of our systems and the protection of our customers’ data are top priorities.
Despite our best efforts, vulnerabilities may still exist. We therefore welcome responsible security research and provide this Responsible Disclosure Program to enable researchers to report security issues safely and ethically.
This program is intended for good-faith security research only. It is not a bug bounty program and does not offer monetary rewards.
Scope
In-scope domains
-
www.skikk.eu
Only systems owned and operated by SKIKK are in scope. Third-party services, integrations, and external providers are out of scope, unless explicitly stated otherwise.
In-scope vulnerability categories
We are primarily interested in vulnerabilities that may impact the confidentiality, integrity, or availability of our systems or customer data, including but not limited to:
-
Sensitive Data Exposure
-
Authentication & Session Management issues
-
Insecure Direct Object References (IDOR)
-
Injection vulnerabilities (SQL, command, etc.)
-
Cross-Site Scripting (XSS) – stored or reflected
-
Remote Code Execution (RCE)
-
Security misconfiguration
-
Broken access control
-
Directory / path traversal
-
Exposure of credentials or secrets
Out-of-scope findings
The following are out of scope and may be closed without further review:
-
Social engineering, phishing, vishing, or impersonation
-
Denial-of-Service (DoS / DDoS) testing
-
Brute-force attacks or account enumeration
-
Automated scanner output without manual validation
-
Weak password policy suggestions
-
Missing HTTP headers without demonstrated risk
-
Cookie flags on non-sensitive cookies
-
Clickjacking or CSRF on non-sensitive pages
-
Email SPF / DKIM / DMARC configuration issues
-
Open redirects without security impact
-
Self-exploitation or theoretical issues only
-
Issues requiring unrealistic user interaction
-
Vulnerabilities already known to SKIKK
-
Reports based on leaked, stolen, or compromised credentials
Rules of engagement
When testing, you must:
-
Test only on accounts you own and control
-
Avoid actions that degrade service availability
-
Not access, modify, or delete data belonging to other users
-
Not upload malware or malicious payloads
-
Not exploit vulnerabilities beyond proof of concept
-
Not perform physical security testing
-
Not disclose vulnerabilities publicly before resolution
-
Delete any sensitive data obtained during testing
Failure to follow these rules may result in disqualification from the program.
Reporting a vulnerability
Please submit reports via email to:
security@skikk.eu
Your report should include:
-
A clear description of the issue
-
Affected URL(s) or endpoint(s)
-
Steps to reproduce
-
Proof of concept where applicable
-
Impact assessment
Incomplete or unclear reports may be rejected.
Our commitment
If you follow this policy, we commit to:
-
Acknowledge receipt of your report
-
Review and validate reported issues
-
Keep you informed of progress where appropriate
-
Not pursue legal action for good-faith research
-
Handle your report confidentially
Resolution timelines may vary depending on severity and complexity.
No rewards
SKIKK does not offer monetary rewards, bounties, or payouts for reported vulnerabilities. This is a responsible disclosure program based on good-faith collaboration, not a paid bug bounty program.
We deeply appreciate the time and effort of security researchers, and we are happy to acknowledge valid contributions where appropriate, but participation is voluntary and does not entitle you to any compensation.
Legal terms
By submitting a report, you confirm that:
-
You are the original author of the report
-
You grant SKIKK the right to use and act on the report
-
You will not disclose the vulnerability publicly without written consent
-
You will not use SKIKK’s name or brand for promotion
Final notes
This program may be modified or discontinued at any time without notice. Participation is voluntary and does not provide any reward or compensation.
Thank you for helping keep SKIKK and its customers secure.