We ask you to:
- Make sure that your findings are in scope. Further on this page you can check what is considered to be out-of-scope.
- Use this link to send your findings securely to us. Or fill out every aspect of this mail template, encrypt it with our PGP-key and send it to us.
- Provide adequate information to allow us to investigate and reproduce the vulnerability. This helps to resolve the problem as quickly as possible. An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, although more information might be necessary for more complex vulnerabilities. You may add a proof of concept.
- Do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data.
- If you suspect to have access to medical data, we ask you to let us verify this.
- Do not share information on vulnerabilities until they have been resolved and erase any obtained data as soon as the problem is solved.
- Do not attack (physical) security using social engineering, distributed denial of service, spam, brute force attacks, third-party applications for instance, or other types of attacks.