Vulnerabilities can occur even in well-tested applications. Fixing such vulnerabilities is a high priority for us and we always appreciate anyone taking the time to inform us about verified or potential vulnerabilities.
Procedure for a Vulnerability Disclosure
In general, providing us with the address or URL of the affected system and a description of the vulnerability is sufficient. You can find a contact address and a PGP key in our security.txt at https://www.berlin.de/.well-known/security.txt
An encrypted e-mail is desirable, but not mandatory. The following also applies:
Please be aware of the scope (only the websites named below) and of non-qualified vulnerabilities (no social engineering, DDoS, etc.)
Do not exploit the vulnerability or problem. Do not download or upload data without authorization and do not modify or delete any data. Do not upload any code.
Do not pass on information about the vulnerability to third parties unless you have received written approval from us.
Provide us with sufficient information so that we can reproduce and analyze the problem (URL range, time, data for reproduction, user agent or similar).
Please provide a contact option for further inquiries.
Please indicate whether we may pass on your contact details to third parties for follow-up questions regarding rectification. This may be necessary when systems outside our control are involved.
Please bear with us if we are unable to respond immediately.
Our Promise
We will not take legal action for responsible disclosure of a vulnerability. If you act in accordance with the guidelines stated above, law enforcement authorities will not be informed in relation to your findings. This does not apply if criminal or intelligence intentions were clearly pursued.
You will receive feedback from us regarding the time of reception of your report, the processing time and the resolution of the problem. (Please check your SPAM folder)
We will try to close the vulnerability as quickly as possible.
We will check whether we can address the problem ourselves or whether third parties need to be involved.
We will treat your report and your personal data (such as an IP address) confidentially and only pass it on if it is necessary to fix the vulnerability.
We will publish a description of the closed vulnerability and, if desired, your name or alias on a thank you page. This is our way of expressing our good cooperation. After this publication, you are welcome to report on finding the vulnerability yourself.
Applicability
You may report vulnerabilities for the following websites:
Not all domains and subdomains are under our responsibility and control. If the vulnerability affects third-party services, we cannot authorize you to test these systems. If in doubt, please ask us before testing a domain or refer to a more specific security.txt.
Non-qualified Vulnerabilities
Results from automated tools must be explained and represent a relevant vulnerability (please only report on vulnerabilities that you understand 100%)
No violation of the privacy of employees and stakeholders
No social engineering or attacks that require physical access to a user's device or network are not permitted
No DDoS attacks (this also applies to automated tools that perform too many accesses per second)
No mass registration or mass sending of contact forms
