Personio takes the security of our software, our services, and the data of our customers seriously.
If you believe you have found a security issue with any Personio-owned repository or Personio-operated service, please report it to us as described below.
Please do not report (potential) security issues through public GitHub issues.
Instead please report them through our responsible disclosure program. We are currently operating an invite-only bug bounty with Intigriti. In order to participate, please register with Intigriti (https://login.intigriti.com/account/register). Then send an email to us at [email protected] with your @intigriti.me email address. We will then invite you to our bounty program. Once onboard, you will be able to review our bounty terms and scope, and safely share your findings with the team.
Alternatively, you can report them directly to our security team via [email protected]. If possible, please encrypt the message with our PGP key. You can find it here: https://keys.openpgp.org/vks/v1/by-fingerprint/C921305FC1B574C16533ACA4B3E23F29B4B09BE1
Please include the information listed below to help us better understand and address the issue:
- Your name and affiliation (if any).
- The type of the issue (e.g. XSS, SQLi, buffer overflow, etc.).
- The location of the affected source code, component, etc. (tag/branch/commit or direct URL).
- Step-by-step instructions on how to reproduce the issue.
- Any special configuration required to reproduce the issue.
- Proof-of-concept or exploit code (if possible).
- Whether this vulnerability is public or known to third parties. If it is, please provide details.
We prefer all communications to be in English.