Security
Last Review: Version 1.1 (31 October 2025)
Introduction
At OMMAX, we are committed to protecting the confidentiality, integrity, and availability of our information systems and our customers’ data.
We maintain a culture of continuous improvement, where our security controls and incident response capabilities are regularly reviewed and tested by our Security Team to ensure ongoing effectiveness.
We recognize that security researchers and our wider community play a vital role in identifying vulnerabilities and strengthening our systems. This policy defines how to responsibly report potential vulnerabilities and how we will respond.
Responsible Disclosure Policy
In scope
- This policy applies to all digital assets owned, operated, or maintained by OMMAX GmbH, including but not limited to:
- Websites and subdomains under *.ommax.com
- Cloud-based applications, APIs, and customer portals owned by OMMAX
Out of scope
- Systems, applications, or assets not owned or controlled by OMMAX
- Third-party services (e.g., SaaS, hosting providers) integrated with our platforms
- Denial-of-service (DoS), social engineering, or physical security testing
- If you discover vulnerabilities in third-party systems, please report them directly to the relevant vendor or responsible authority.
Our commitments
We appreciate the efforts of individuals who invest time and expertise to help secure our systems.
When you report a vulnerability in accordance with this policy, you can expect OMMAX to:
- Acknowledge receipt of your report within 5 business days
- Triage and validate the report based on severity, impact, and reproducibility
- Provide progress updates at least every 30 days while remediation is ongoing
- Remediate confirmed vulnerabilities as quickly as possible, typically within 90 days for critical or high-severity issues
- Extend Safe Harbor for good-faith research conducted under this policy
Note: OMMAX does not currently offer monetary rewards or bug-bounty payments.
Your responsibilities
By participating in our disclosure program in good faith, we ask that you:
- Follow this policy and respect any applicable terms or agreements
- Test only in-scope systems and avoid production disruption
- Avoid accessing, altering, or destroying any user data
- If you encounter data such as PII, PHI, or financial information, stop testing immediately and report the issue
- Report vulnerabilities promptly to OMMAX and allow at least 90 days for remediation before any public disclosure
- Do not use discovered vulnerabilities for unauthorized access or extortion
- Limit your proof-of-concept to what is necessary to demonstrate the issue
- Only test using accounts that you own or have explicit permission to use
- Refrain from excessive automated scanning or actions that could degrade service performance
Reporting and communication channels
Please report potential vulnerabilities to security@ommax.com
When submitting a report, please include:
- A concise description of the vulnerability
- Steps to reproduce (proof-of-concept if applicable)
- Impact assessment or potential risk
- Any supporting logs, screenshots, or sample requests/responses
Safe Harbor
OMMAX supports and encourages good-faith security research.
Activities conducted under this policy will be considered authorized, and OMMAX will not pursue or support legal action if:
- The testing adheres to this policy and relevant laws;
- No data is intentionally exfiltrated, modified, or destroyed; and
- The researcher reports vulnerabilities responsibly and in good faith
If any legal claim is initiated by a third party related to your research under this policy, OMMAX will confirm to that third party that your actions were conducted in compliance with this Responsible Disclosure Policy.
If you are unsure whether your intended testing is permitted, contact security@ommax.com for clarification before proceeding.
Maintenance
- This policy is reviewed at least annually by the OMMAX Security Team and Legal Department
- Significant updates (e.g., changes to scope or contact details) will be posted on ommax.com/security
Legal jurisdiction
- This policy and all related interactions are governed by the laws of Germany and applicable European Union regulations (including GDPR and NIS2 Directive compliance principles)
