Vulnerability Disclosure Policy

Last updated: 13 May 2026

Introduction

Workheld takes information security and data protection seriously. This Vulnerability Disclosure Policy (VDP) describes how security researchers, customers, end users and third parties can notify us of vulnerabilities in our products and services. The VDP is part of our information security management system certified to ISO/IEC 27001:2022 (certificate number AT-IS-20260241).

Scope

This policy applies to the following Workheld components:

  • Workheld cloud platform and all associated web applications (workheld.com and subdomains)
  • Workheld Flow mobile applications (iOS, Android)
  • Workheld desktop application
  • Workheld Sense including the edge component Luna
  • Workheld AI functionality
  • Workheld public API endpoints

Out of scope:

  • Vulnerabilities in third-party components (see the sub-processor list in the DPA) — please report directly to the respective vendor
  • Denial-of-service attacks, load tests, stress tests
  • Social engineering attacks against Workheld staff or customers
  • Physical attacks against Workheld or customer infrastructure
  • Findings with no demonstrable security risk

Safe Harbor

Workheld will not pursue legal action against security researchers acting in good faith within the meaning of this policy, provided that:

  • research is limited to what is technically necessary;
  • no third-party data is accessed, exfiltrated, modified or deleted;
  • vulnerabilities are not publicly disclosed before Workheld has had a reasonable opportunity to remediate (see “Coordinated Disclosure”);
  • applicable law (in particular §§ 126c, 202c of the Austrian Criminal Code) is observed;
  • Workheld is notified without undue delay after discovery.

This safe-harbor commitment does not apply to activities violating criminal law or the rights of third parties.

Reporting a vulnerability

Preferred channel: e-mail to security@workheld.com. Alternatively, hallo@workheld.com with subject “Security”. A PGP key for encrypted transmission is available on request.

Please include: description of the vulnerability, reproduction steps, affected component and version (if known) or URL, assessment of potential impact, and contact details for follow-up.

Response SLA

Workheld acknowledges receipt of a report within one business day and performs an initial assessment within five business days. The remediation strategy is determined by severity (CVSS v3.1):

  • Critical (CVSS 9.0–10.0): hotfix typically within 7 days; affected customers are notified in accordance with Section 20 of the Data Processing Agreement.
  • High (CVSS 7.0–8.9): patch typically within 30 days.
  • Medium (CVSS 4.0–6.9): remediation in the regular release cycle.
  • Low (CVSS below 4.0): backlog assessment, remediation by priority.

Coordinated Disclosure

Workheld asks researchers not to publicly disclose vulnerabilities until either an agreed embargo has elapsed (default: 90 days from initial report) or the vulnerability has been remediated — whichever is earlier. For actively exploited (zero-day) vulnerabilities, this period may be shortened by mutual agreement. Workheld may extend the period in justified individual cases, e.g. where a safe remediation requires more time; any such extension is coordinated with the reporter.

Recognition

Workheld maintains a “Hall of Fame” for security researchers whose reports led to improvements. At the reporter’s request, the entry is pseudonymised or omitted. Workheld does not currently pay bug-bounty rewards.

Legal notice

This Vulnerability Disclosure Policy is not a binding offer and does not create a contract between Workheld and security researchers. The safe-harbor commitment is a unilateral statement by Workheld GmbH; its scope is governed by Austrian law. Exclusive place of jurisdiction is Vienna, Inner City.

This policy supports Workheld’s obligations under Article 13 of Regulation (EU) 2024/2847 (Cyber Resilience Act).