Responsible Disclosure Policy

• I. Introduction
• II. Scope
• III. Reporting a Vulnerability
• IV. Disclosure Timeline
• V. Our Commitment
• VI. Contact

 

---

 

I. Introduction

At DCSO Deutsche Cyber-Sicherheitsorganisation GmbH, we take information security and the protection of our contractual partners’ personal data very seriously. We firmly believe that collaborating with cybersecurity experts outside of DCSO is crucial for identifying and addressing potential vulnerabilities in our products and services.

This Responsible Disclosure Policy outlines our approach to handling vulnerability reports and the conditions we expect cybersecurity researchers to adhere to when identifying or reporting security issues or vulnerabilities.

For the purpose of this policy, a cybersecurity researcher is defined as any individual who identifies and/or reports a vulnerability.

 

II. Scope

This policy applies to relevant vulnerabilities affecting the following areas:

• • • Our email infrastructure

• • • Our O365, Azure or AWS tenants

• • • Any web applications under our domain dcso.de or its subdomains

• • • Any APIs under our domain dcso.de or its subdomains

• • • Any systems within the public IP range 185.183.125.0/22

• • • Any software projects published through our corporate GitHub account at https://github.com/DCSO, provided they are not explicitly marked as discontinued

 

III. Reporting a Vulnerability

1. If you believe you have found a vulnerability in one of our products or IT services, please proceed as follows:

• • • First, verify whether your report falls within the scope of this policy.

• • • Submit your report via email to our IT security team at blueteam@dcso.de.

• • • To ensure the confidentiality of transmitted data, please encrypt your report using our PGP key, which can be downloaded here.

 

2. To help us understand and resolve the issue quickly and effectively, please include the following details in your report:

• • • A detailed description of the vulnerability.

• • • A step-by-step explanation of how the vulnerability can be exploited.

• • • If applicable/relevant: screenshots or proof-of-concept code.

• • • Your contact details for any follow-up inquiries.

 

3. When identifying and reporting vulnerabilities, we expect cybersecurity researchers to adhere to the following:

• • • Discovered vulnerabilities must not be exploited, e.g., by downloading, modifying, or deleting data, or uploading code.

• • • No information about the vulnerability may be disclosed to third parties or institutions unless DCSO has explicitly granted written consent.

• • • Discovered vulnerabilities must not be used to prepare or facilitate vulnerability reports for third-party programs.

• • • No attacks may be conducted against DCSO’s IT systems or services that compromise, alter, or manipulate infrastructure or individuals.

• • • Social engineering (e.g., phishing), (Distributed) Denial of Service, and spam attacks against DCSO are strictly prohibited.

• • • Please do not submit reports generated by automated tools/scans without accompanying explanatory documentation.

 

4. While we appreciate the efforts of the cybersecurity community, the following types of tests and results are not covered under our Responsible Disclosure Policy:

• • • Denial-of-Service (DoS) attacks

• • • Spamming techniques

• • • Social engineering attacks against individuals, such as phishing

• • • Physical attacks on our infrastructure

• • • Common web application vulnerabilities that are informational or pose minimal risk, such as:
      • • Missing security headers (e.g., X-Frame-Options, Content-Security-Policy)
        • Unnecessarily supported HTTP methods (e.g., TRACE, OPTIONS)
        • Disclosure of service version information
        • Clickjacking on pages without sensitive actions
        • Use of a known vulnerable library without a specific exploit scenario
        • Issues related to password complexity requirements or unenforced password policies
        • Reports of outdated software versions without a specific proof-of-concept exploit

 

IV. Disclosure Timeline

• • • Do not disclose the vulnerability to others before we have had the opportunity to address it. Do not publish any sensitive information obtained during your research.

• • • DCSO generally discloses vulnerabilities publicly only when patches or mitigating solutions are available.

• • • If at any point you feel that we are not responding appropriately, escalation via CERT-BUND CERT-BUND as the responsible escalation body is possible.

 

V. Our Commitment

DCSO is committed to keeping cybersecurity researchers informed throughout the remediation process and recognizing their contributions once the issue has been resolved and/or publicly disclosed.

If you report a vulnerability in accordance with this policy, we commit to the following:

• • • Acknowledgment: We will confirm receipt of your report within three business days.

• • • Resolution: We will resolve the vulnerability as quickly as possible and keep you informed of our progress, including an evaluation of the validity of the reported issue.

• • • Recognition: If desired, we will acknowledge your contribution in our release notes or in the “Hall of Fame” at the end of this document once the vulnerability is fixed. This acknowledgment will include a description of the resolved issue and the reporter’s name or alias.

• • • Confidentiality: The reporter’s information will be handled confidentially, and any personal data of the cybersecurity researcher will be processed in compliance with data protection regulations and not shared with third parties without explicit consent.

• • • No Legal Action: If you adhere to the conditions set forth in this policy and do not otherwise violate applicable laws, we will not initiate legal action against you. This provision does not apply if there is clear evidence of criminal or intelligence-related intent.

 

Please note that financial rewards or “bug bounties” for confirmed vulnerabilities are not provided. Kindly refrain from requesting such compensation.

 

VI. Contact

If you have any questions about this policy, please contact our security team at blueteam@dcso.de.

Thank you for helping us keep our systems secure!

 

---

 

By following this policy, we aim to create a safer environment for our customers and foster collaboration with the security community. We appreciate your efforts in keeping our products and services secure.

 

---

 

Hall of Fame

We’d like to acknowledge the following people for responsibly reporting vulnerabilities to us:

Year / Month	Name / Nickname	Affected Component	Type of reported issue

Please note that researchers can request to be removed from the Hall of Fame at any time. To do so, please send an email to security [at] dcso.de with the subject “HoF removal request”, referencing the entry that should be removed.