Get started

Security Incidents and Responsible Disclosure Policy

Handling of critical security incidents

In order to be able to handle security-critical incidents quickly and effectively, DRACOON has set up the e-mail address Incidents reported to this address are automatically forwarded to DRACOON's CERT team, which evaluates and prioritizes them based on their impact on information security.

All customers are therefore required to immediately send critical security incidents to the e-mail address The information transmitted is subject to confidentiality.


Responsible Vulnerability Disclosure

DRACOON sees itself as a provider of security solutions and therefore attaches great importance to secure software development (SSDL) and corresponding quality assurance in its own processes and structures. However, even with the greatest of efforts, we cannot prevent vulnerabilities from occurring in our services. Therefore, in addition to regular penetration tests, we also run a private bug bounty program on YesWeHack that interested security researchers can sign up for.

If you find a vulnerability, you can report it either through the program or directly to Our PGP key can be found here. Our security team will analyze the report and fix the vulnerability. We encourage anyone who finds a vulnerability to report it responsibly. The information provided will be kept confidential.

Actions under this Responsible Disclosure Policy should be limited to performing testing to identify potential vulnerabilities and sharing that information with DRACOON. If you wish to publish information about the vulnerability after it has been fixed, please notify us at least one month before publication and give us the opportunity to comment. DRACOON may not be named in any publication without our express consent.

We ask you to respect the following guidelines:

  • Do not engage in or execute any attacks that could damage the availability, integrity or confidentiality of our service or the information stored in our products.
  • Do not engage in social engineering against our employees, customers, or infrastructure.
  • Do not engage in intimidation or extortion.
  • Do not disclose confidential information, including details of your submission, without DRACOON's prior and express consent.
  • Do not violate any applicable laws or regulations.