Vulnerability handling and disclosure policy

The Companies of the Bundesdruckerei Group provide services and technologies to protect digital identities, sensitive data and IT infrastructures. As the German Federal Government’s IT security company, we assume social responsibility and resolutely defend Germany’s digital sovereignty.

Our primary focus is always on the security of software, systems, and services that we have developed and used. For this reason, we are always particularly interested in identifying and resolving possible vulnerabilities that are discovered. If you discover any vulnerabilities in Bundesdruckerei’s IT systems, products and (web) applications then please inform us about them. We will, if desired, contact you and immediately take corresponding measures to ensure that the vulnerability in question is resolved as quickly as possible.


  • Send your results regarding a vulnerability by email to Also, please encrypt your documentation using our PGP key ( so that sensitive information does not fall into wrong hands.
  • Provide as many details in your report as you can so that we can reproduce and analyse the problem in question, then carry out the necessary measures.
  • Make sure we can get in contact with you so we can make further enquiries. The selected contact option is your call.
  • Always comply with current laws and do not exploit possible vulnerabilities to, for example, download documents, change data or even upload code.
  • Do not pass on any information about possible vulnerabilities to third parties or institutions or do not publish them before we have contacted you and agreed to publication.
  • Do not carry out any attacks on our IT systems, products, persons or infrastructure that aim to compromise, change or manipulate. This also covers the fields of social engineering and (distributed) denial of service (DDoS).
  • Please allow us sufficient time to rectify possible vulnerabilities.


  • We will try to rectify found vulnerabilities as quickly as possible.
  • We will send you a confirmation that your email has been received as well as a response to your report.