Security Policy

Scope

This policy applies to:

• The Einfache-eRechnung.de web application and APIs
• Open-source components maintained under the invoicex GitHub organization

How to report a vulnerability

Send an email to security@einfache-erechnung.de with:

• A description of the vulnerability
• Steps to reproduce
• The potential impact as you see it

If you need encrypted communication, request our PGP key in your initial email and we will provide it.

Please do not disclose the vulnerability publicly until we have had a chance to address it.

Our response commitment

• Acknowledgment within 3 business days
• Status update within 10 business days
• Coordinated disclosure window of 90 days — we aim to fix confirmed vulnerabilities within this timeframe and will coordinate public disclosure with you

Safe harbor

We will not pursue legal action against anyone who:

• Acts in good faith to discover and report vulnerabilities
• Avoids privacy violations, data destruction, and service disruption
• Gives us reasonable time to address the issue before public disclosure

This commitment is inspired by the disclose.io safe harbor principles.

Out of scope

The following are not covered by this policy:

• Social engineering (phishing, pretexting)
• Denial-of-service attacks
• Physical attacks against our infrastructure
• Vulnerabilities in third-party services we use but do not control

Recognition

With your permission, we will credit you by name in any security advisory we publish. Let us know in your report how you would like to be credited — or if you prefer to remain anonymous.