We generally invite security researchers to search for vulnerabilities in our services. We kindly ask to not put any actual user data or production systems at risk.
Report vulnerabilities via e-mail to [email protected]. We do not offer a GPG key for encryption.
Please make sure that you include the following information:
- Which version is affected
- How can the bug be used/exploited
- Explanation of the risk
If you have not received an answer within a couple of days, feel free to contact us again.
For used open source software, we recommend to file bug reports and/or pull requests against the upstream repositories. This includes hardening instructions in the installation documentation.
This policy is based on the MIT licensed security policy of digitalfabrik/security-policy.