/ Vulnerability Disclosure Policy

Your security is our top priority.

The security of our products and services is a top priority. This Vulnerability Disclosure Policy describes how to responsibly report potential security vulnerabilities in our cloud services. We welcome reports from security researchers, customers, and partners, and commit to working with you to address findings in a timely and transparent manner.

This policy applies to:

  • entervo infinite SaaS platform
  • Web applications and APIs under *.scheidt-bachmann.net domain
  • E-Receipt Portal under *.receipt-parking.com domain

Out of scope:

  • Customer-managed on-premise deployments of entervo.core
  • Third-party services and integrations not operated by Scheidt & Bachmann Parking Solutions
  • Social engineering attacks, spam, physical attacks, denial-of-service (DoS/DDoS) testing, or automated scanning tools causing service disruption

If you are unsure whether a system is in scope, please contact us before starting any testing.

Reporting Guidelines

If you discover a vulnerability, please:

  • Email us at security@scheidt-bachmann.net
  • Encrypt sensitive details with our PGP key.
  • Provide clear information to reproduce the issue:
    • Affected product, service, or API endpoint
    • Steps to reproduce
    • Potential impact
    • Proof-of-concept (if safe)
  • Do not publicly disclose the vulnerability until it has been resolved in coordination with us.

Our Commitments

When you report a vulnerability in good faith and in line with this policy, we will:

  • Acknowledge receipt of your report within 5 business days
  • Provide a first assessment or status update within 10 business days
  • Work with you on a coordinated disclosure timeline (typically within 90 days, adjusted by severity and remediation complexity)
  • Give you recognition in our Acknowledgments page, if desired
  • Not pursue legal action for research conducted in good faith and within scope

Rules of Engagement

  • Do not access or attempt to access customer data.
  • Do not disrupt services or degrade availability.
  • Do not use automated scanning tools without prior coordination.
  • Testing must be limited to accounts you own or test accounts explicitly provided by us.
  • Do not exploit a vulnerability beyond what is required to prove its existence.

Safe Harbor

We consider security research activities conducted under this policy as authorized. If your research follows these rules of engagement, we will not initiate
legal action against you.
This safe harbor does not extend to:

  • Actions that are malicious, exploitative, or cause harm
  • Violations of laws unrelated to security research

Rewards

At this time, Scheidt & Bachmann Parking Solutions does not operate a formal bug bounty program. However, we value the efforts of security researchers
and may, at our discretion, offer compensation or other recognition for high-impact reports. All valid reports are eligible for acknowledgment on our
Acknowledgments page.

Contact

Email: security@scheidt-bachmann.net

PGP key: www.scheidt-bachmann.net/.well-known/pubkey.txt