Vulnerability Disclosure Policy

Introduction

Blackforest Systems takes security seriously. If you have discovered a vulnerability in Elite Lux Admin Panel, we appreciate responsible disclosure.

Scope

In scope:

• Elite Lux Admin Panel (all versions on Hetzner DE)
• API endpoints and authentication
• Session management and cookies
• Infrastructure components (Caddy, OpenBao, Stalwart)

How to report a vulnerability

Response timeline

Acknowledgment:

Within 48 hours

Initial assessment:

Within 7 business days

Fix (critical):

Within 30 days

Coordinated disclosure:

By agreement — typically 90 days after fix

Safe Harbor

Personal data handling

Vulnerability information is treated strictly confidentially. Researchers' personal data is not shared with third parties without explicit consent.

Recognition

We do not offer monetary rewards. Recognized researchers are listed in our Hall of Fame with their consent.

Contact

Legal basis

• EU Cyber Resilience Act (CRA) Art. 14 — vulnerability disclosure obligations
• NIS 2 Directive Art. 23 — incident reporting
• RFC 9116 — security.txt standard
• §202a–c StGB — security research protected when conducted in good faith