Security

Vulnerability Disclosure Program

Introduction

At Politanalytics, we’re committed to providing a secure, privacy-first environment for our users across Europe and Switzerland. From Swiss politics on politik.ch to EU policy tracking on savoirr.comdata protection is central to our mission. To help us keep our systems strong, we welcome the support of ethical hackers and security researchers through our Vulnerability Disclosure Program (VDP). If you’ve found a vulnerability, please let us know — responsibly.

Guidelines

Notify us as soon as possible after discovering a real or potential security issue.
Avoid any actions that may compromise privacy, degrade performance, disrupt services, or manipulate data.
Exploit vulnerabilities only to the extent required to confirm their existence — do not exfiltrate data or attempt persistence.
Do not share any details of the vulnerability with third parties or disclose it publicly.
Submit high-quality reports that are clear, reproducible, and focused on genuine security issues.
If you encounter sensitive data (e.g., PII, financial info), stop immediately and contact us. Do not store, share, or access such data further.

Scope

All publicly accessible systems and services operated by Politanalytics are in scope.

*.politanalytics.com
*.politik.ch
*.politique.ch
*.politica.ch
*.savoirr.com
Any browser-accessible tools hosted under the above domains.
Compliance with legal requirements: This includes, in particular, compliance with applicable laws and regulations or responding to requests from the competent courts and authorities and asserting, exercising or defending legal claims.

Vulnerabilities in Scope

The following vulnerability types are considered in scope if they could meaningfully affect data confidentiality, integrity, or availability:

XSS (Cross-Site Scripting)
CSRF (Cross-Site Request Forgery)
SSRF (Server-Side Request Forgery)
SSTI (Server-Side Template Injection)
SQL Injection
XXE (XML External Entity)
RCE (Remote Code Execution)
LFI/RFI (Local/Remote File Inclusions)
Authentication/Authorization flaws

Out of Scope

The following are not considered impactful enough for our security program:

UI/UX or content bugs without security impact
Social engineering
Denial of Service (DoS)
Email spoofing or open relay
Missing security headers without proven exploitability
Use of outdated libraries unless proven exploitable
Weak TLS/SSL configurations without working proof of concept

Safe Harbor

If you follow this policy in good faith, we will consider your actions as authorized. We will not pursue legal action, and we’ll support you if others attempt to do so due to your compliant work under this policy. If you’re unsure whether your testing is in line with these rules, please ask before going further.

What You Can Expect From Us

This is not a bug bounty program, but we’re grateful for all serious contributions. Depending on severity, you can expect:
• A response within 5 business days
• Proper acknowledgment of your effort
• A thank-you call or coffee
• Community recognition (if requested and applicable)

Reporting

Please send your report to:info@politik.chWe appreciate your help in making policy monitoring safer, smarter, and more secure.