Vulnerability Disclosure Program (VDP)

Introduction

Hi, and thanks for wanting to make our shop safer.

Security matters to us. Every day, people trust Digitec Galaxus with their orders, payments, data, and shopping happiness. If you spot something that doesn’t look right, we’d love to hear from you - responsibly, of course slightly smiling face

Here’s how to report security issues in a way that’s helpful for everyone.

What We Ask From You

Please:

  • Tell us quickly when you’ve found a real or potential vulnerability.

  • Keep it safe:
    Don’t access, change, or delete data that isn’t yours. Stop immediately if you stumble across what you think is personal or sensitive information.

  • Be gentle with our systems:
    No service disruption, stress tests, or anything that might annoy our customers or devs.

  • Use the smallest possible poke:
    Only test enough to show that the vulnerability exists - no pivoting, no persistence, no exploring internal systems.

  • Keep it private:
    Don’t share the issue with anyone until we’ve fixed it.

  • Send us clear, reproducible findings:
    Quality > quantity.

If you ever think, “Hmm, can I do this?” - just ask us first.

What’s In Scope

Everything publicly accessible and operated by Digitec Galaxus AG, including:

  • Websites

    • *.digitecgalaxus.ch

    • *.devinite.com

    • *.digitec.ch

    • *.galaxus.ch

    • *.galaxus.de

    • *.galaxus.at

    • *.galaxus.be

    • *.galaxus.fr

    • *.galaxus.it

    • *.galaxus.nl

    • *.galaxus.eu

  • Mobile Apps

    • iOS: https://apps.apple.com/ch/app/galaxus-dein-onlineshop/id1175349817

    • Android: https://play.google.com/store/apps/details?id=com.galaxusapp&gl=US

  • Public Code Repositories

    • https://github.com/DigitecGalaxus

The short version:
If it’s publicly reachable and belongs to us, it’s fair game.

What’s Out Of Scope

  • Social engineering (phishing, pretending to be staff, etc.)

  • Physical access tests (offices, warehouses, data centers)

  • DoS / DDoS or anything causing service disruption

  • Low-impact mobile app issues (missing jailbreak detection, obfuscation, etc.)

  • Missing security headers without a real, practical way to exploit them

  • Known-vulnerable libraries with no real impact on our setup

  • TLS/SSL “weaknesses” without an actual working attack

If you can show a real-world impact, we’ll happily take a closer look.

Safe Harbor (Important!)

As long as you follow this policy and act in good faith, we’ll treat your research as authorised.

If your research stays within the boundaries of this policy:

  • We won’t file a criminal complaint based on applicable legal articles.

  • If someone else raises questions about your lawful testing, we’ll confirm that you acted according to our rules (as long as you proactively identified yourself to us).

  • We won’t take civil action for compliant research conducted on in-scope systems.

This safe harbor doesn’t cover misuse, fraud, extortion, selling access, major data exfiltration, or anything outside this policy.

If unsure - stop and ask us.

What You Can Expect From Us

This isn’t a bug bounty, but we still want to say thanks:

  • A first reply within 5 business days

  • A fair, transparent assessment

  • For critical findings:

    • A badge on your shop profile

    • coffee or beer at our Zurich office if you're nearby and want to chat

We appreciate good research and treat researchers with respect.

How To Report

Send your findings to:

vulnerability@digitecgalaxus[.]ch

We accept reports in English or German.

Please include:

  • What you found

  • How you found it

  • How we can reproduce it

  • Screenshots, logs, and/or PoC

The clearer your report, the faster we can fix things.

Thank you already in advance for your time and desire to make us and our customers more secure!

 

Report Template (Recommended)

# Description
Add details about the vulnerability, where you found it, and why you believe it is a security issue.

# Proof of Concept
Screenshots, sample requests, minimal exploit code, or other material that demonstrates the vulnerability.

# Steps to Reproduce
Step-by-step guide Include all necessary URLs, parameters, test accounts, etc. Describe expected vs. actual behaviour

# Impact
Explain what an attacker could do if this vulnerability were exploited in the real world (e.g. read customer data, take over accounts, manipulate orders).

# Supporting Materials
Add any additional logs, screenshots, or files that help us understand and reproduce the issue.