Version: 1
Date: 2026.02.10
Safeguarding systems, products, services, and information is a fundamental responsibility of metamorphosis GmbH. This includes a strong commitment to cybersecurity and the protection of data, infrastructure, and digital assets.
In an environment of constantly evolving cyber threats, metamorphosis GmbH recognizes the important role that the security researcher community can play in strengthening cybersecurity. As a result, this Vulnerability Reporting Program has been established to provide a clear and responsible mechanism for reporting newly discovered security vulnerabilities. The purpose of this program is to enhance the security of metamorphosis’ systems, products, services, and infrastructure through collaboration and responsible disclosure.
metamorphosis GmbH maintains a cybersecurity program designed to uphold and continuously improve the security of its systems, products, and services. Contributions from independent security researchers are valued and may help identify areas for improvement.
This Vulnerability Reporting Program applies to security weaknesses discovered in:
Information technology infrastructure
Websites and web-based platforms
Applications, products and software-based services
At the sole discretion of metamorphosis GmbH, validated and responsibly disclosed vulnerabilities may be eligible for acknowledgment following verification and remediation.
In making such determinations, metamorphosis GmbH may consider, among other factors, whether the vulnerability was previously known and whether the reporter adhered to the legal and ethical principles outlined below. Eligibility for acknowledgment will not be determined until the reported vulnerability has been verified, validated, and remediated.
In all cases, security researchers are expected to act in good faith, without malicious intent, and to report vulnerabilities in a timely manner.
If you believe you have discovered a security vulnerability, please report it by contacting:
vulnerability-disclosure@metamorphosis.tech
Please include the following information in your submission:
A clear description of the nature of the vulnerability
The location of the vulnerability, including the affected system, website, API, application, or service
A detailed explanation of how the vulnerability was discovered and how it can be reproduced, including relevant technical details such as browser type, operating system, and software versions
Please note: raw data dumps or bulk exports will not be considered valid submissions
Your preferred method of contact to allow for secure follow-up communication
metamorphosis GmbH will make reasonable efforts to acknowledge receipt of the report within a few business days. Additional information may be requested to support verification and remediation in accordance with internal vulnerability management procedures.
This Vulnerability Reporting Program must not be interpreted as permission to engage in activities beyond what is necessary to identify and report a security vulnerability.
The following activities are not permitted:
Engaging in any activity disproportionate to what is required to demonstrate the existence of a vulnerability, including:
Accessing, downloading, retaining, or disclosing personal, health-related, proprietary, or confidential data
Actively exploiting metamorphosis systems, products, services, or infrastructure
Maintaining unauthorized access beyond initial proof of concept
Disrupting systems, services, networks, or normal business operations
Conducting testing that could endanger the safety of users, customers, or operations, including the use of malware, denial-of-service attacks, or system manipulation
Engaging in any activity that violates applicable local, national, or international laws or regulations
Security testing should be limited to what is necessary to confirm the vulnerability and should avoid any impact on system availability, integrity, or confidentiality.
metamorphosis GmbH appreciates the efforts of the security research community in contributing to a safer digital environment. Responsible vulnerability disclosure helps strengthen security and protect users, systems, and services worldwide.