Background image bug bounty

Bug Bounty
Report security gaps and vulner­abilities to Hostpoint

Have you discovered a security gap or vulnerability in our system while using Hostpoint products and services? Then share your observation with us!

Security is of the utmost importance for Hostpoint

We always strive for the highest possible quality in our products and services. We also attach great importance in our work to the protection of customer data. For these reasons, we welcome any security vulnerabilities or incidents being brought to our attention.

Hostpoint does not presume any legal consequences for the responsible reporting of vulnerabilities. On the contrary, we will even reward such reports as part of our Bug Bounty program.

Pictogram of a website inside a magnifying glass with an exclamation mark

Basic guidelines for vulnerability reporting

For us to be able to identify, investigate and resolve issues as efficiently and quickly as possible, please follow these guidelines when reporting issues:

  • Work together with us! Errors can occur anywhere, therefore, we expect fair interaction
  • Describe the vulnerabilities/incidents as precisely as possible. Include screenshots, proof of concept scripts or step-by-step instructions, if applicable
  • Do not exploit discovered security vulnerabilities and do not cause any damage
  • Comply with the legal requirements applicable in Switzerland and in your country of domicile
  • Do not publish any vulnerabilities you discover in other places/channels (e.g. social media).
  • Give us at least 90 days to review your report and address any vulnerabilities (in most cases only takes a few hours or days).

Furthermore, please note that simple suggestions for improvements or notices about the lack of certain features are not suitable for our Bug Bounty program.

Illustration of the Hostpoint control panel and an e-mail message
Pictogram of a speech bubble with a warning symbol

What is Responsible Disclosure?

Responsible Disclosure refers to a coordinated and fair reporting procedure for discovered vulnerabilities and security gaps, in which the discoverer of a vulnerability cooperates with the developers of the corresponding system.

Discovered security vulnerabilities shall not or not immediately be made public after being reported to the developers. The following principles apply:

  • Developers are given sufficient time to fix bugs (at least 90 days). During this time, neither the public nor third parties are informed about the vulnerabilities
  • As a general rule, discovered security vulnerabilities are not exploited by the discoverers (damage or impairment of systems, data theft, espionage, etc.)
  • The discoverers do not make financial demands as a precondition of reporting (extortion)

How does the bug bounty program work?

We're always glad to receive information about vulnerabilities you have discovered. And in some cases, you may even get a financial reward!

Pictogram of an envelope with an exclamation mark

How do I report a discovered vulnerability to Hostpoint?

Send us your discoveries of vulnerabilities, security gaps or incidents as well documented as possible to the e-mail address (GPG Key) and be ready to answer any questions. We will get back to you.

If you have any questions about the reporting process or Hostpoint’s Bug Bounty program, you are also welcome to contact our support team.

Pictogram of a hand holding a dollar sign

What kind of reward is there for discovered vulnerabilities (Bug Bounty)?

All reports received are individually reviewed, remediated and classified according to specific criteria (in particular, criticality and complexity of the vulnerability). After this assessment, depending on the case, there may be a financial reward paid by Hostpoint.


We are here for you!

You can also find answers and instructions in our Support Center.