Whether you want to exchange information, report a vulnerability or request participation in a bug bounty, here is the place to contact our Security Team
FAQ
Well, it is correct to assume that the data will directly be transferred in a secured transmission into our secure service. However, there are logs, maybe there are even eavesdroppers on our web server – hey, it’s just a poor internet facing machine – so that we all will be more safe, when it will be encrypted with our public PGP key. You will find it here.
In addition, it is best practise and we try to be a good example.
Well, it depends. In general we value every support, but we do not have dedicated budget for vulnerability hunters. There is still space our hall of fame. But given we are talking serious – not just a few spelling mistakes on the website or cheap availability impacts due to upload limit crashes – we will try to convince our management to motivate further valuable inputs also financially. Given the following aspects are met, we have been always successful so far:
- Clearly outline the steps to the issue:
 The better the description, the less effort will be required to confirm the misbehaviour. We allow to attach a file, even ZIP, of up to 3MB in size. So it should be possible to describe starting point, pre-conditions and sequence of activities required to re-produce the misbehaviour or vulnerability.
- Clearly state the impact you see arising form the vulnerability:
 Sometimes the impact of the identified vulnerability is not immediately clear to everybody. We experienced situations where one clearly saw one aspect, but another, pretty obvious to an inaugurated, is not seen. Thus, a well outlined impact description will definitely help to understand the risks resulting from the vulnerability identified.
- Do not forget your contact details:
 For any sort of payment we will need contacting you. There should be some reasonable means to identify and reach out to you.
- Be prepared to send an invoice:
 It will be easier for us to accept a security consulting invoice than passing on grants to international bank accounts without further knowing to whom these belong.
Public bounties are not planned. We are currently considering maybe a private – invitational only – bounty for early September, depending on our sales success. However, if you are interested in participating, reach out and let’s get in touch. We are keen to meet motivated people and will be simpler to organise, if we can interact directly.
