We generally invite security researchers to search for vulnerabilities in our services. We kindly ask to not put any actual user data or production systems at risk.

Report vulnerabilities via e-mail to [email protected]. We do not offer a GPG key for encryption.

Please make sure that you include the following information:

• Which version is affected
• How can the bug be used/exploited
• Explanation of the risk

If you have not received an answer within a couple of days, feel free to contact us again.

For used open source software, we recommend to file bug reports and/or pull requests against the upstream repositories. This includes hardening instructions in the installation documentation.

This policy is based on the MIT licensed security policy of digitalfabrik/security-policy.