Vulnerability Disclosure Policy

Stand: 03.04.2025

The Helmholtz Centre for Infection Research GmbH (HZI) appreciates the efforts of security researchers and the broader community in identifying and responsibly disclosing potential vulnerabilities in our systems and services. This policy outlines our approach to receiving and handling such reports.

1. Scope

This policy applies to vulnerabilities found in systems and services owned or controlled by HZI.

2. Reporting a Vulnerability

If you believe you have found a security vulnerability, we encourage you to report it to us immediately. You can report vulnerabilities by contacting us.

Please provide detailed information about the vulnerability, including:

1.    A clear description of the vulnerability,
2.    Steps to reproduce the vulnerability,
3.    Affected systems or services,
4.    Potential impact of the vulnerability and
5.    Your contact information (if you wish to be acknowledged).

Additionally we strive to follow the best practice outlined in https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md and would appreciate very much, if any reporter would do the same.

3. Our Commitment

We are committed to:

  1. Acknowledging receipt of your report promptly.
  2. Investigating and addressing valid vulnerabilities in a timely manner.
  3. Keeping you informed of the progress of our investigation (where appropriate and requested).
  4. Working with you to understand and resolve the issue.

4. (No) Bug Bounty

HZI receives public funding and is subject to German public procurement law. This means that we are legally restricted in how we can spend taxpayer money. Consequently, we are unable to offer bug bounties or other monetary rewards for vulnerability reports. While we deeply appreciate and thoroughly investigate all responsible disclosures, we cannot provide financial compensation.

5. Important Notice Regarding Ransomware

HZI receives public funding and therefore does not insure against damages caused by cyber-attacks. This includes that HZI does not respond to any claimed ransom and does not pay them.

6. Responsible Disclosure

We ask that you:

  1. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  2. Refrain from publicly disclosing the vulnerability until we have had a reasonable opportunity to investigate and address it.
  3. Do not exploit the vulnerability for any purpose other than reporting it to us.
  4. Provide us with a reasonable timeframe to address the vulnerability before public disclosure.

7. Disclaimer

This policy is subject to change without notice. By submitting a vulnerability report, you acknowledge and agree to the terms of this policy.

8. Contact

If you have any questions about this policy, please contact us.