Personio takes the security of our software, our services, and the data of our customers seriously.
If you believe you have found a security issue with any Personio-owned repository or Personio-operated service, please report it to us as described below.
Please do not report (potential) security issues through public GitHub issues.
Instead please report them through our responsible disclosure program. We are currently operating a registered (public with an Intigriti account) bug bounty program with Intigriti. In order to participate, please register with Intigriti (https://login.intigriti.com/account/register). Then go to the following link and apply (https://app.intigriti.com/researcher/programs/personio/personio/). Once onboard, you will be able to review our bounty terms and scope, and safely share your findings with the team.
Please include the information listed below to help us better understand and address the issue:
- Your name and affiliation (if any).
- The type of the issue (e.g. XSS, SQLi, buffer overflow, etc.).
- The location of the affected source code, component, etc. (tag/branch/commit or direct URL).
- Step-by-step instructions on how to reproduce the issue.
- Any special configuration required to reproduce the issue.
- Proof-of-concept or exploit code (if possible).
- Whether this vulnerability is public or known to third parties. If it is, please provide details.
We prefer all communications to be in English.