July, 2026
Introduction
The security of our customers, employees, systems, and services is a top priority for flatexDEGIRO SE and flatexDEGIRO Bank SE.
We welcome reports from security researchers, customers, and third parties regarding potential security vulnerabilities in our systems, applications, and services. Responsible reporting of vulnerabilities allows us to identify risks early on and take appropriate measures to minimize and resolve them.
Scope
This policy applies to publicly accessible systems, applications, and services of flatexDEGIRO SE and flatexDEGIRO Bank SE, as well as their brands, in particular:
- flatex Germany
- flatex Austria
- DEGIRO
- ViTrade
Third-party services, systems, and applications are excluded from this policy unless they are operated by flatexDEGIRO SE or flatexDEGIRO Bank SE.
How to Report
Security-related reports can be submitted to the following email address:
vulnerability@flatexdegiro.com
We support encrypted communication via S/MIME. Information on how to obtain and verify the relevant certificate is available upon request or through the contact address listed above.
Please note that we will store and process your data as part of the analysis process. If you would like your report to be processed anonymously, please indicate this in your email.
What Should the Report Include
Please provide the following information, if possible:
- Description of the vulnerability
- Affected application, website, API, or service
- Steps to reproduce the issue
- Potential impact
- Technical evidence or proof-of-concept
- Contact Information for Inquiries
The more complete the information is, the more efficiently the assessment can be conducted.
How We Handle Reports
Upon receipt of a report, we will:
- confirm receipt of the report,
- analyze and assess the reported vulnerability,
- ask for clarification if necessary,
- take appropriate measures to minimize risk and resolve the issue.
We aim to:
- acknowledge reports within 72 hours,
- provide an initial assessment within 7 days,
- remediate critical vulnerabilities within 30 days where possible.
Prioritization and processing are based on our internal risk and security assessment procedures. We assess severity using industry standards such as CVSS.
Guidelines
We ask all reporters to:
- to act responsibly and in good faith,
- not to compromise the availability of our systems,
- not to view, store, modify, or disclose any customer data, personal data, or confidential information,
- not to delete or manipulate any data,
- not to carry out social engineering attacks,
- not to carry out denial-of-service attacks (DoS/DDoS),
- not to conduct automated tests that have a significant impact on the availability of our systems,
- not to circumvent any physical security measures,
- not to publicly disclose any discovered vulnerabilities before they have been properly assessed and addressed.
No Bug Bounty Program
flatexDEGIRO SE and flatexDEGIRO Bank SE do not currently operate a public bug bounty program.
The reporting of security vulnerabilities is voluntary and does not entitle the reporter to any compensation, rewards, or other benefits.
Confidentiality
We treat incoming reports confidentially and use the information provided exclusively to assess and address the reported security vulnerability, as well as to comply with legal and regulatory requirements.
Safe Harbor
We will not initiate legal action against individuals who act in good faith, comply with this policy, and report vulnerabilities responsibly.
Regulatory Requirements
Confirmed security vulnerabilities and security incidents may be handled in accordance with applicable legal, supervisory, and regulatory requirements.
Revisions
flatexDEGIRO SE and flatexDEGIRO Bank SE reserve the right to amend or update this policy at any time.