FlexDSL Telecommunications AG

Introduction

FlexDSL Telecommunications AG recognizes the valuable contribution of independent security researchers who act in good faith and help ensure the security and stability of our digital infrastructure. We therefore welcome the responsible reporting of potential security vulnerabilities in our applications and systems.

We ask that you always disclose information about vulnerabilities responsibly and in accordance with this policy. Please read the following provisions carefully before you begin testing or report a security issue. Ensure that your actions always remain within the scope defined here. If you are unsure whether your activity is compatible with this policy, please contact us in advance: security@flexdsl.ch

FlexDSL will review, validate, and address reported vulnerabilities in accordance with our internal security standards and prioritize them accordingly.

Scope of This Policy

This policy applies exclusively to the following systems and components of FlexDSL Telecommunications AG:

• Websites and subdomains of FlexDSL
• Web-based management interface of our products (e.g., modems, routers, switches)
• The hardware and software of our own products

Only these components are authorized for security-related investigations under this policy.

Out of Scope

All other systems, applications, and infrastructures are expressly excluded from this policy. This includes, in particular:

• Internal systems, networks, and test environments
• Third-party components or services hosted by third parties
• Systems protected by authentication or VPN access
• Social engineering, spam, denial-of-service attacks, or any other disruptive/malicious activities
• Theoretical vulnerabilities without reproducible evidence

How to Report a Vulnerability

We accept reports through the following channels:

• By email: security@flexdsl.ch
• Via the online form (anonymous submission possible): Report Security Vulnerability Form

Please provide as many details as possible, for example:

• The clear description of the vulnerability
• Affected systems, services, or IP addresses
• Steps to reproduce (including proof-of-concept or screenshots if applicable)
• Optional contact details for follow-up communication

How We Handle Your Report

We commit to a transparent, fair, and respectful process:

• Confirmation of receipt within 5 business days
• Analysis and prioritization based on security risk
• Transparent communication, where desired and possible
• Confidentiality: No disclosure of personal data without your consent
• Coordinated disclosure
• Recognition: Upon request, we will publicly acknowledge you as the reporter

What We Expect From You

Please adhere to the following principles during your research and reporting:

• No publication before coordinated disclosure with FlexDSL
• No access to or misuse of personal or protected data belonging to third parties
• No disruption of services (e.g., no DoS attacks)
• No use of social engineering, phishing, or physical access
• Compliance with applicable legal regulations

Safe Harbor

All activities conducted in good faith and in accordance with this policy, without fraudulent or harmful intent, are considered “authorized.” In this case, FlexDSL will not initiate or recommend legal action against you, to the extent legally permissible.

If a third party initiates legal proceedings against you and you have complied with this policy, FlexDSL will take the necessary steps to make it clear that your actions were in accordance with this policy.

FlexDSL reserves the right to take legal action against individuals whose actions violate this policy or are carried out with fraudulent intent.

Legal Notice

This policy is a voluntary initiative to promote cybersecurity and does not constitute a legally binding offer. Reporting a vulnerability does not create a contractual relationship. FlexDSL Telecommunications AG reserves the right not to pursue reports that do not meet the requirements of this policy.

Thank You for Your Support

We thank everyone who contributes to the security of our systems through responsible disclosure. Together, we strengthen trust in a secure digital infrastructure.