Responsible Disclosure

Spotted something off? Let us know. Security is core to how we operate at Picnic Technologies — and the security research community plays a key role in helping us maintain it.

This page explains how to share your findings with us responsibly, and what you can expect from us in return.

Have you found a security vulnerability?

We take every report seriously. If you’ve discovered a potential security issue in one of Picnic’s systems or applications, please share it with us using the guideline below.

We will investigate your report, keep you informed of our progress, and recognise your contribution.

Guidelines

What we ask you to do

  • Test only on systems you own or have explicit permission to access
  • Report your finding privately and promptly — do not share it with others before we have resolved it
  • Provide clear, reproducible steps so our team can understand and validate the finding
  • Give us reasonable time to investigate and remediate before any public disclosure

What you must never do

  • Install malware, backdoors, or any malicious software on any system
  • Launch denial-of-service (DoS/DDoS) attacks
  • Use social engineering, phishing, or physical access techniques
  • Access, download, or modify data belonging to other users
  • Use brute force or aggressive automated scanning tools
  • Share or retain sensitive data beyond what is strictly needed to demonstrate the vulnerability
  • Publicly disclose the finding before it has been resolved

Out of Scope

  • Self-XSS — requires the victim to execute the payload in their own browser
  • Missing security headers (CSP, X-Frame-Options, HSTS, etc.) without a working exploit demonstrating real impact
  • Automated scanner output submitted without manual validation or demonstrated impact
  • Theoretical vulnerabilities with no working proof-of-concept

How to report

Send your report to security@picnic.nl

Please include:

  • A clear description of the vulnerability
  • The system or URL affected
  • Steps to reproduce the issue
  • Any supporting evidence (screenshots, logs, proof-of-concept)

We will acknowledge your report and keep you informed as we investigate.

Acknowledgement

We publicly recognise researchers who help keep Picnic secure.

Researchers who responsibly disclose valid vulnerabilities will be added to our Security Hall of Fame. Eligibility is assessed internally based on the validity and impact of the reported finding.