Reporting Security Vulnerabilities (Vulnerability Disclosure Policy)

July, 2026

Introduction

The security of our customers, employees, systems, and services is a top priority for flatexDEGIRO SE and flatexDEGIRO Bank SE.

We welcome reports from security researchers, customers, and third parties regarding potential security vulnerabilities in our systems, applications, and services. Responsible reporting of vulnerabilities allows us to identify risks early on and take appropriate measures to minimize and resolve them.

Scope

This policy applies to publicly accessible systems, applications, and services of flatexDEGIRO SE and flatexDEGIRO Bank SE, as well as their brands, in particular:

  • flatex Germany
  • flatex Austria
  • DEGIRO
  • ViTrade

Third-party services, systems, and applications are excluded from this policy unless they are operated by flatexDEGIRO SE or flatexDEGIRO Bank SE.

How to Report

Security-related reports can be submitted to the following email address:

vulnerability@flatexdegiro.com

We support encrypted communication via S/MIME. Information on how to obtain and verify the relevant certificate is available upon request or through the contact address listed above.

Please note that we will store and process your data as part of the analysis process. If you would like your report to be processed anonymously, please indicate this in your email.

What Should the Report Include

Please provide the following information, if possible:

  • Description of the vulnerability
  • Affected application, website, API, or service
  • Steps to reproduce the issue
  • Potential impact
  • Technical evidence or proof-of-concept
  • Contact Information for Inquiries

The more complete the information is, the more efficiently the assessment can be conducted.

How We Handle Reports

Upon receipt of a report, we will:

  • confirm receipt of the report,
  • analyze and assess the reported vulnerability,
  • ask for clarification if necessary,
  • take appropriate measures to minimize risk and resolve the issue.

We aim to:

- acknowledge reports within 72 hours,

- provide an initial assessment within 7 days,

- remediate critical vulnerabilities within 30 days where possible.

Prioritization and processing are based on our internal risk and security assessment procedures. We assess severity using industry standards such as CVSS.

Guidelines

We ask all reporters to:

  • to act responsibly and in good faith,
  • not to compromise the availability of our systems,
  • not to view, store, modify, or disclose any customer data, personal data, or confidential information,
  • not to delete or manipulate any data,
  • not to carry out social engineering attacks,
  • not to carry out denial-of-service attacks (DoS/DDoS),
  • not to conduct automated tests that have a significant impact on the availability of our systems,
  • not to circumvent any physical security measures,
  • not to publicly disclose any discovered vulnerabilities before they have been properly assessed and addressed.

No Bug Bounty Program

flatexDEGIRO SE and flatexDEGIRO Bank SE do not currently operate a public bug bounty program.

The reporting of security vulnerabilities is voluntary and does not entitle the reporter to any compensation, rewards, or other benefits.

Confidentiality

We treat incoming reports confidentially and use the information provided exclusively to assess and address the reported security vulnerability, as well as to comply with legal and regulatory requirements.

Safe Harbor

We will not initiate legal action against individuals who act in good faith, comply with this policy, and report vulnerabilities responsibly.

Regulatory Requirements

Confirmed security vulnerabilities and security incidents may be handled in accordance with applicable legal, supervisory, and regulatory requirements.

Revisions

flatexDEGIRO SE and flatexDEGIRO Bank SE reserve the right to amend or update this policy at any time.