All public facing applications and systems of Empa are in scope of this policy (e.g. websites of Empa). Only such applications and systems are authorized for research as described by this policy.

Any application and system not mentioned under "Scope of this policy" and/or hosted by a third-party provider are excluded from the scope of this policy. This includes, but is not limited to:

• databases, internal networks and infrastructure devices

One of our goals is to address issues as quickly as possible while limiting negative impacts on our users. In order to do this, we need your help and regardless of the impact, you agree

• Not to compromise Empa information or Empa information systems, 
• Disclose issues as soon as possible via security@empa.ch, 
• Provide valid contact information,
• Respond when we have a question for you,
• Include as much information as possible in your report (see "Reporting" below) to help us to recreate the issue,
• To use vulnerabilities only to the extent necessary to report and not to use the vulnerability for any other purpose,
• Not to violate the privacy of others or interfere with our systems and to not destroy data or harm the user experience, 
• Only to interact with test accounts that belong to you or for which you have the verifiable explicit permission of the relevant account holder

Further, you must comply with all laws applicable to you, including local laws of the country or region in which you reside or in which you download or use Empa online platforms, applications, or services.

If you find a valid security vulnerability in compliance with this policy, you can expect Empa to:

• Respond in a timely manner, acknowledging receipt of your vulnerability report and engage with you in an open dialog to discuss issues, 
• Recognize your contribution if you are the first to report a previously unknown vulnerability, and your report triggers a code or configuration change.
• Currently, Empa does not offer any recompense to security researchers. 

While we encourage you to report to us any vulnerabilities you find, to remain compliant, you are prohibited from:

• Performing actions that may negatively affect Empa or its associates, like denial of service or spam,
• Performing attacks that negatively impact the performance of systems of Empa, such as brute forcing of any kind, fuzzing, etc. without any throttling,
• Accessing any non-public applications and system, e.g. via lateral movement,
• Theft, destruction or corruption, or attempt to steal, destroy or corrupt data or information of Empa that does not belong to you,
• Disclosure of confidential data, 
• Leveraging vulnerabilities to download, modify or delete any data beyond the minimum necessary actions to provide proof of concept, 
• Attempting to elevate privileges, or explore a system beyond the minimum necessary to provide proof of concept, 
• Conducting any kind of physical or electronic attack on Empa personnel, property, buildings, or data centers,
• Social engineering or extorting any Empa employee, client or contractor.

Public disclosure of any submission details of an identified or alleged vulnerability or data / information without explicit written consent from Empa will cause you and your submission to be noncompliant with this Policy and in some cases expose you to civil or criminal liability.

Report any details of an identified or alleged vulnerability via . We ask you to include detailed information with steps for us to reproduce the vulnerability. The more details you provide, the easier it will be for us to triage and fix the issue, such as:

• Technical description of the vulnerability, including: 
   - Browser information (type and version) used
   - Relevant information about connected components and devices
   - Impacted platform(s) URL(s) 
• Sample code to demonstrate the vulnerability and/or detailed steps to reproduce 
• Threat/risk assessment 
• Date and time of discovery 
• Your valid contact information 
• Possible disclosure plans

By submitting the report via you agree to comply with the terms and conditions of this policy.

Any activities conducted in accordance with this policy and in good faith, without fraudulent or harmful intent or consequence, will be deemed to be "authorized" and we shall not initiate or recommend legal action against you to the extent possible and permitted by law. 
Please note that article 22a of the federal personnel act obliges us to report all crimes or offences that are subject to mandatory prosecution which we have discovered in the course of our official duties or that have been reported to us. If legal action is initiated by a third party against you and you have complied with this policy, we will take the necessary measures to make it known that your actions were conducted in compliance with this policy.
Empa reserves the right to bring any legal action against any person acting in a manner that violates this policy.