Responsible Disclosure Process
If you discover a vulnerability in IT systems and web applications of Hellmann, please inform us. We will then take immediate action to handle the vulnerability found as quickly as possible.
Process
Fingerprint of the PGP Key:
54DE 381D 2BB7 07D1 075C 9356 516C 2B22 C283 BC29
If you would like to file an internal report of non-compliant behavior instead of reporting a vulnerability, please use the Whistleblower Hotline.
Qualified reporting of vulnerabilities
Any design or implementation problem at Hellmann can be reported that is reproducible and affects confidentiality, integrity or availability of our systems or data.
Common examples are:
The following vulnerabilities do not fall within the scope of our Responsible Disclosure Process:
Our Promise
We take immediate action to resolve the vulnerability. You will receive feedback from us on the receipt of your report, as well as about the validity of the vulnerability and the resolution of the issue during the processing period.
If you act in accordance with the above instructions of Hellmann, law enforcement authorities will not be informed in connection with your findings. This does not apply if recognizable criminal or intelligence intentions are pursued. In case of doubt, please feel free to approach a trustworthy intermediary instance like the Chaos Computer Club.
We will treat your report confidentially and will not disclose your personal data to third parties without your consent.
You as a reporter will not be judged based on your age, education, gender and origin or social rank. We show this respect publicly and recognize your achievement. With your consent, we will mention the kind of the closed vulnerability, the date of your initial report, your name (or alias) and a contact address or social media profile as requested by you in the context of our Acknowledgments in order to publicly express good cooperation with Hellmann.
Acknowledgments
2022-06-28
Anonymous
Faulty container configuration that favours clickjacking
2021-09-07
Mahad Ali (LinkedIn)
UI Redressing Hellmann Portal Login
2021-07-19
Anonymous
Output of non-public information Hellmann Track & Trace