SKIKK Responsible Disclosure Policy

At SKIKK, we’re committed to building safe and secure products for our customers. But no system is perfect, and we know that security researchers, ethical hackers, and developers (a.k.a. “Researchers”) can play a vital role in helping us improve. That’s why we’ve set up this Responsible Disclosure Policy — so you can report security vulnerabilities in SKIKK platforms before someone with bad intentions finds them.

Your help means a safer world for everyone.

How to play nice – Our Terms & Conditions

To keep things fair, transparent, and secure for all parties involved, we kindly ask that you follow these ground rules:

1. Don’t perform any Denial-of-Service (DoS) or similar attacks.

2. Don’t upload, send, or store malicious code or files.

3. No spam, junk mail, or unsolicited messages.

4. Don’t run automated scans or brute-force attacks without prior approval from SKIKK.

5. Avoid testing methods that disrupt SKIKK services or corrupt data.

6. Don’t test physical security at SKIKK locations or stores.

7. No social engineering (e.g., phishing or pretending to be someone else).

8. Don’t test third-party integrations or external websites/services connected to SKIKK.

9. Do not disclose vulnerabilities publicly before 30 days after they’ve been resolved and only with SKIKK’s written consent.

10. Please delete any sensitive data obtained during your testing once your report has been submitted.

What happens after you submit?

We aim to respond quickly and only if any rewards are granted we will contact you again, do not contact us about this.

If the issue is linked to systems outside our core region or needs more in-depth coordination, resolution may take a bit longer.

What’s in scope?

We’re open to reports on a range of security vulnerabilities, including but not limited to:

- Injection vulnerabilities

- Broken Authentication and Session Management

- Cross Site Scripting (XSS)

- Remote Code Execution

- Insecure Direct Object Reference

- Sensitive Data Exposure

- Security Misconfiguration

- Missing Function Level Access Control

- Using Components with Known Vulnerabilities

- Directory/Path transversal

- Exposed credentials

What’s out of scope?

We love your enthusiasm, but some things just aren’t considered valid:

- Social engineering attempts

- Brute-force login or account enumeration

- Weak password policy suggestions

- Missing HTTP headers without proven risk

- Automated scanner reports without validation

- Low-impact issues like autocomplete on forms

- Cookie flag issues on non-sensitive data

- Outdated browser issues

- Self-exploitation, test environments, or theoretical risks

- Email SPF/DKIM/DMARC setups

- Clickjacking or CSRF on non-sensitive pages

- MITM or physical access-based attacks

- Known vulnerabilities disclosed less than 30 days ago

- CSV injection without proven exploitation

- General "best practice" suggestions without risk impact

- Tabnabbing, open redirect without added security risk

- Reports requiring unrealistic user interaction

- Credentials found via dark web, malware, or leaked sources

What’s in scope – Domains & apps

Domains: skikk.eu, *.skikk.eu

Rewards – aka “Bug Bounty”

While this isn’t a traditional bug bounty program, we may choose to reward researchers for critical or high-impact findings once the issue is verified and resolved.

Important: To be eligible for a reward, you must provide verifiable personal information and proof of identity (such as a valid ID). Anonymous submissions or those using fake identities will not be considered for any form of reward — no exceptions.

All reward decisions are made solely at SKIKK’s discretion and reviewed by our internal security committee on a monthly basis. When a reward is granted we will contact the you, do not contact us about this.

Legal stuff

By submitting a report, you confirm that:

- You are the original author of the report.

- You grant SKIKK the right to use, adapt, and act upon the report in any way needed.

- You will not use your report or relationship with SKIKK in any promotional, marketing, or public context — including using our name, logo, or likeness without written permission.