Reporting a vulnerability
We take the security of our technical infrastructure very seriously. If you nevertheless come across something that you regard as a vulnerability in one of our technical systems or services, please let us know immediately so that we can rectify the situation as soon as possible.
Guidelines
To prevent any kind of abuse of the potential vulnerability by others, we ask to respect the following guidelines of our Responsible Disclosure Policy:
- Mail us as soon as possible to security@denic.de.
- Write your message in one of our preferred languages so that we can answer you accordingly: German and English.
- Encrypt your message using our PGP key if you can. We are nevertheless happy to hear from you if you can't use encryption. In this case, contact us without any sensitive information, we will find a way to communicate securely.
- In your (encrypted) message, be precise and provide as much information as you can so that we have the best possible chance of reproducing and resolving the problem you have encountered. In most cases, the IP or URL of the system in question plus an outline of the vulnerability will be enough.
- When reporting an issue, include at least an e-mail address that we can use to get in touch if we need additional details or clarification.
- Don’t use automatic scanners and do not change any data or system settings. Please ensure that any research you perform should not harm the operational performance of our systems.
- Don’t share what you’ve found with anyone else until we’ve resolved the problem.
- Destroy any confidential information that may have come into your possession.
- Act responsibly with your knowledge of the security issue. Go no further than you have to in order to demonstrate the vulnerability to us without our consent. Don’t misuse the encountered security problem.
What can you test?
Suspected security vulnerabilities that can be misused for illegal purposes and which occur:
- On our website: denic.de
- Within our ICT networks, systems and services.
What do you not need to report?
- Social Engineering
- Resource exhaustion / (Distributed) Denial of Service
- Physical Access Testing
- Situations that cannot be reproduced
- Exploits that are not validated with a second tool or method, i.e., wrong result in tool A but right result in tool B
- Cosmetic issues
- Situations where the problem lies on user level (security awareness), e.g., it can be exploited when the workplace is left unprotected, "shoulder surfing" etc.
- Simple fingerprinting or version listings on OS and services
- Publicly available files that contain public information
- Secure / HTTP-only flag missing on cookies containing public information only
- TLS misconfiguration without a proof-of-concept to exploit the weakness
- Incomplete or missing SPF, DKIM or DMARC records
- E-mail addresses found at a third-party data breach
- Publicly disclosed vulnerabilities, patched within the last 2 weeks
- URL redirection (to a valid webpage)
- Local content spoofing / clickjacking
- Registered public IP addresses
- Public files and information leakage through metadata
- Missing security headers, options and flags
- Outdated versions without a proof-of-concept or working exploit
What can you expect from us?
- If you follow the conditions described above when reporting an issue to us, we won’t attach any legal consequences related to your research on that particular issue.
- We appreciate your help in advancing or optimizing the security of our systems and networks. That's why we will do our best to have all contacts in a fair and respectful way:
- We will treat your report as confidential, and we will not share your personal details with any third party without your consent, unless we are obliged to do so by law or by a court ruling.
- We will get in touch with you within 5 working days (if you provided us valid contact information).
- We will keep you informed about progress in the resolution of the issue you have reported.
- We will undertake any necessary corrective action as soon and best as we can.
- We don’t object that details concerning reported issues may be published from time to time, as long as the issue has been resolved meanwhile and does no longer pose a problem.
Hall of Fame
Sadly, nobody has sent us anything yet.
In future, we want to honour people here who have helped us to increase the security of DENIC and thus of the German Internet.