Responsible Disclosure Policy
We at DaSCH welcome reports from security researchers and experts about potential vulnerabilities in our IT systems.
Note: If you think there is a problem with your accounts (e.g. your password has been stolen), please reset your password immediately. If you have lost access completely, please contact our customer support department (firstname.lastname@example.org).
We are particularly interested in receiving information about security vulnerabilities that could compromise the confidentiality or integrity of user information or user systems, or that could be exploited to surreptitiously obtain our services.
If you believe you have discovered a potential vulnerability in our IT systems, please contact us using the linked form. In your report, please provide information and detailed instructions that will enable our security team to reproduce the problem.
All public-facing systems that we own are in scope.
Any activity conducted in a manner consistent with this Policy will be considered authorised conduct and we will not take legal action against you. If a third party takes legal action against you in connection with activities conducted under this Policy, we will take steps to make it known that your actions were conducted in compliance with this Policy.
How to report security vulnerabilities to us
To submit a vulnerability to us, please use the linked form.
Alternatively, you can send us your report via this email: email@example.com (link opens in new window).
What we would like to see from you
Comprehensible reports in English or German.
Describe in detail how you found the bug.
If possible: Include a proof of concept.
Reports outside the scope list will most likely be ignored.
Please do not submit reports from automated tools without verifying them.
What you can expect from us
A timely response to your report (within 5 working days).
An open dialogue to discuss issues.
An expected timeline for patches and fixes (typically within 180 days).
Our request to you
To protect our customers and services, we ask that you do not publish or share information about a potential vulnerability.
Types of security research we do not allow
Take any action that may adversely affect us or our customers (e.g. social engineering, phishing, spam, denial of service).
Destroying or damaging, or attempting to destroy or damage, data or information that does not belong to you.
Social engineering any of our employees, contractors or customers.
Using vulnerability testing tools that automatically generate significant traffic.
Nevertheless, if you hear of any of the above, please report it anyway.
Security vulnerability reporting