Version: 1.0
Last Updated: March 17, 2026
Language: English

1. Introduction and Commitment
At Hotelbird, the security of our digital hospitality infrastructure and the protection of our partners’ and guests’ data are our highest priorities. In alignment with the recommendations of the German Federal Office for Information Security (BSI), we maintain this policy to provide a clear framework for the responsible reporting of security vulnerabilities.
We recognize the vital role that independent security researchers play in the internet ecosystem and welcome efforts to improve our security posture.

2. “Safe Harbor” and Legal Guarantee
Hotelbird will not initiate legal action (under German laws such as § 202a StGB “Data Espionage” or § 202b StGB “Interception of Data”) against researchers who:

• Engage in vulnerability research without harming Hotelbird, its customers, employees, or third parties.
• Adhere strictly to the guidelines set forth in this policy.
• Do not access, modify, or delete data belonging to Hotelbird or its users.
• Provide us with a reasonable amount of time to remediate the issue before any public disclosure.

3. Guidelines for Responsible Research
To qualify for Safe Harbor, we expect researchers to:

• Avoid Privacy Violations: If you accidentally encounter Personal Identifiable Information (PII) during your research, you must stop immediately, delete any local copies, and notify us.
• No Disruption: Do not perform Denial of Service (DoS/DDoS) attacks, brute-force testing, or any testing that might degrade the performance of our services.
• No Social Engineering: Testing our employees, offices, or partners via phishing or physical access is strictly prohibited.
• Confidentiality: Do not disclose vulnerability details to any third party or the public until Hotelbird has confirmed a fix and granted explicit permission.

4. Reporting Process and Requirements
Please report vulnerabilities via the contact method specified in our security.txt file:

• Primary Contact: itsecurity@hotelbird.com
• Encryption: We strongly recommend encrypting your report using our Public PGP Key (see https://hotelbird.com/pgp-key.txt).

A valid report should include:

1. Summary: A brief description of the vulnerability and its potential impact.
2. Steps to Reproduce: Clear, technical steps (or a PoC script) to reproduce the issue.
3. Environment: Browser version, OS, and the specific URL/Endpoint affected.
4. IP Address: The IP address you used during your research (to help us distinguish your traffic from malicious attacks).

5. Handling of Personal Data (GDPR / DSGVO)
In accordance with the EU General Data Protection Regulation (GDPR):

• Hotelbird acts as the Data Controller.
• Your report and contact details will be processed solely for the purpose of investigating and fixing the reported security issue (Art. 6 (1) (f) GDPR).
• If you find a data leak, do not download more data than the absolute minimum necessary to prove the vulnerability.

6. Our Commitment to You
When you report a vulnerability to Hotelbird, we commit to:

• Acknowledgment: We will confirm receipt of your report within 5 business days.
• Investigation: We will perform a preliminary assessment and provide a status update within 10 business days.
• Transparency: We will keep you informed of our progress as we work on a remediation.
• Recognition: With your permission, we may acknowledge your contribution to our security in our “Hall of Fame” (if applicable). Note: At this time, Hotelbird does not offer a monetary Bug Bounty program.

7. Out-of-Scope Vulnerabilities
While we review all reports, the following are generally considered out-of-scope:

• Clickjacking on pages without sensitive actions.
• Missing security headers that do not directly lead to a vulnerability.
• SPF/DKIM/DMARC records.
• Known public files or directories (e.g., robots.txt).