responsible vulnerability

Home > responsible vulnerability

Responsible Vulnerability Disclosure Policy by Österreichische Staatsdruckerei GmbH (hereinafter referred to as OeSD)

OeSD places great emphasis on the security of our online services. We value collaboration with security researchers who assist us in improving our systems. This policy describes how you can report security issues to us and what you can expect from us.

1. Introduction  

Our goal is to create a transparent process for reporting vulnerabilities to ensure the security and privacy of our users. We strive to carefully investigate and resolve all reports.

2. Scope  

This policy applies to all online services for which OeSD is responsible that provide a security.txt file.

3. Exclusions  

The following areas are excluded from this policy:  

  • Physical Products of the OeSD, like ID-Cards and Passports.
  • Physical tests or attacks on our infrastructure.  
  • Social engineering or phishing attacks against our employees.  
  • UI/UX bugs and typos.  
  • Reports of vulnerabilities that cannot be exploited or deviations from "best practices."  
  • Denial-of-service (DoS/DDoS) vulnerabilities.  
  • Services hosted by third-party providers.
  • System breaches or network tests that could disrupt normal operations.  

4. Rewards  

While we do not offer a financial bug bounty program, we want to express our appreciation for the work of security researchers. Reporters of qualified vulnerabilities may receive recognition and symbolic gifts.

5. Guidelines  

  • Respect the privacy of our users, employees, and systems.
  • Avoid accessing unnecessary amounts of data. Two or three datasets are sufficient to demonstrate most vulnerabilities.
  • Refrain from communicating vulnerabilities through channels other than those described in this policy.
  • Do not modify data in our systems that you do not own.
  • Do not place malicious code in our systems.
  • Do not disrupt our services.
  • Do not publish vulnerabilities before they are resolved by us.

6. Reporting a Vulnerability  

If you have discovered a security vulnerability, please report it to csirt@staatsdruckerei.at. Include the following details:  

  • The affected website or page.  
  • A brief description of the vulnerability (e.g., "XSS vulnerability").  

Avoid providing details that could allow reproduction of the vulnerability. For encrypted communication, you can use our public PGP keys under PGP Keys.

7. What You Can Expect  

After your report, you will receive confirmation from our security team. We will establish a secure communication channel to exchange sensitive information. Our team will review the reported vulnerability and keep you informed of progress.

8. Legal Framework  

This policy is designed to align with common practices among responsible security researchers. It does not grant permission to violate applicable laws or bring us into legal conflict, particularly with regard to the General Data Protection Regulation (GDPR).  

We will not take legal action against security researchers who act in good faith and in compliance with this policy.

--- 

Thank you for your support in making our services more secure.