Vulnerability Disclosure Policy

1. Introduction

At linqi, the security of our products and the safety of our customers' data are our top priorities. We highly value the work of the independent security research community. If you believe you have found a security vulnerability in one of our products, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

2. Scope

This policy applies exclusively to software vulnerabilities found in our own software products.

In Scope:

linqi process plattform

Out of Scope:
Please note that the following are explicitly out of scope and should not be tested:

Our corporate website https://linqi.de/
Third-party applications or services not owned or maintained by us
Volumetric / Denial of Service (DoS/DDoS) attacks
Social Engineering (e.g., phishing) or physical attacks against our employees or infrastructure

3. How to Report a Vulnerability

If you have discovered a security issue, please email us directly at:

security [at] linqi [dot] de

To protect sensitive information, we strongly encourage you to encrypt your email using our PGP public key:

Fingerprint: 68D9 E28D 4D41 2D6D
Link to Public Key: Download Public Key

Please include the following information in your report:

A clear description of the vulnerability and its potential impact.
The specific product and version affected.
Detailed steps to reproduce the issue (Proof of Concept, screenshots, or code snippets are highly appreciated).

4. What You Can Expect from Us (SLA)

When you share a vulnerability report with us, we commit to the following:

We will acknowledge receipt of your report within 5 business days.
We will provide an estimated timeframe for addressing the vulnerability.
We will notify you when the vulnerability has been fixed.

5. Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct. We will not initiate legal action against you or ask law enforcement to investigate you if you comply with these guidelines. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

6. Recognition & Bug Bounty

Currently, linqi does not operate a paid Bug Bounty program and does not offer financial compensation for vulnerability reports. However, we believe in giving credit where credit is due. If your report leads to a valid security update, we will gladly acknowledge your contribution publicly in our security advisories and assign you credit in the resulting CVE record (unless you prefer to remain anonymous).

7. Public Disclosure & Advisories

Once a vulnerability has been verified and a patch or mitigation is available for our customers, we will publish a Security Advisory on our website and issue a corresponding CVE record. We aim to coordinate the public disclosure timeframe with the reporter to ensure our users can update their systems safely.

1. Introduction​

2. Scope​

3. How to Report a Vulnerability​

4. What You Can Expect from Us (SLA)​

5. Safe Harbor​

6. Recognition & Bug Bounty​

7. Public Disclosure & Advisories​