# security.txt for Thomann GmbH & Thomann.io GmbH # This file provides security researchers with a way to report vulnerabilities responsibly. # Any communication outside the designated email will result in disqualification from our Bug Hunting Program. Contact: mailto:security@thomann.io Preferred-Languages: en, de # Any communication outside of security@thomann.io will lead to an automatic ban from our program. # Domain Scope: # The following domains are in scope for security testing: # - *.thomann.de # - *.thomann.io # - *.thomann.ae # - *.thomann.co.uk # - *.thomann.dk # - *.thomann.fr # - *.thomannmusic.ch # - *.thomannmusic.com # - *.thomannmusic.no # - *.thomann.pl # - *.thomann.pt # - *.thomann.nl # - *.thomann.se # - *.thomann.es # - *.static-thomann.de # # Additionally, any website owned by Thomann GmbH using country-specific TLDs is eligible. # This includes domains containing ".thomann." that indicate official ownership. # No need to submit duplicate reports for the same application hosted on different TLDs. # Bounty Reward Policy: # - Currently, we do not offer any monetary rewards. # - Valid reports may be eligible for *vouchers* to be used in our shop. # - The amount of vouchers granted is at our discretion based on the impact and severity of the vulnerability. # Out of Scope # The following types of vulnerabilities and reports are considered out of scope: # General Exclusions: # - Theoretical vulnerabilities without a realistic exploit scenario or attack surface. # - Social engineering, phishing, spam, or physical security concerns. # - DDoS, or brute-force attacks. # - Attacks requiring physical access, MitM, or compromised user accounts. # Duplicate Reports: # - Issues already known through our internal testing will be marked as duplicates. # Out of Scope Assets: # - Any asset not explicitly listed in scope. # - Pages redirecting to third-party domains. # Out of Scope Vulnerabilities: # - WordPress username disclosure. # - Pre-auth account takeover/OAuth squatting. # - Self-XSS without an impact on other users. # - CORS misconfiguration on non-sensitive endpoints. # - Missing cookie flags or security headers. # - Low-impact CSRF. # - Reverse tabnabbing. # - Best practices violations (e.g., password complexity, reuse). # - Clickjacking without demonstrated impact. # - CSV Injection. # - Sessions not invalidated after logout or enabling 2FA. # - SPF/DMARC/DKIM issues. # - HTTP Request Smuggling without demonstrated impact. # - Homograph attacks. # - XML-RPC enabled. # - Same-site scripting. # - Subdomain takeovers without actual exploitation. # - Blind SSRF without business impact. # - Blind XSS without verifiable impact. # - Broken social media links (e.g., resellers, fan pages). # - Self-exploitation (e.g., token or cookie reuse). # - Host header injection without proven business impact. # Post-Exploitation Policy: # - Exploitation should be minimal, only enough to prove the issue. # - Allowed: displaying database version, system name, or local IP. # - Prohibited: any further exploitation that risks system integrity. # Any communication outside of security@thomann.io will lead to an automatic ban from our program. # Last updated: 2025-03-12