Reporting security issues


Not exactly a technical issue, but what is the recommended way to report potential security issues.
I would really like to give Spryker the opportunity to fix such issues in a fitting time period instead of disclosing them in a public forum.
My intention is not to keep them for myself, but to reduce the risk for all Spryker customers which comes with public disclosure.

The ideal would be a mail address with a public GPG key, but I would be happy as well to have a channel where I can at least discuss such issues without making them public already.


You can send email to and elaborate on the found issues.


Hey guys,

Please notify us via
Security issues will be investigated with a high prio.