Company

... and take part in Deutsche Telekom's bug bounty program. Data privacy and IT security are very important to us and with your contribution you help us to become even better. If you find a vulnerability, let us know and qualify for a reward. You can find the general conditions for participation here. 

Bug Bounty

Scope

The following systems are part of Deutsche Telekom's bug bounty program (T-Mobile US operates a separate bug bounty program on Bugcrowd).

Domains

Domains

Critical / P1
up to 50,000 euros

High / P2
up to 20,000 euros

Medium / P3
up to 10,000 euros

-    *.telekom.de
-    *.telekom.net
-    *.telekom.com
-    *.t-systems.com

Found a vulnerability? Then send us:

  • A description of the vulnerability
  • A reasoned assessment of the criticality and the type of vulnerability
  • A proof-of-concept (PoC) to prove exploitability
  • Suggestions on how to fix the vulnerability

Rewards

The premiums quoted are based on a specific risk. For each reported vulnerability, we evaluate the risk individually and thus determine how much reward we will pay:

To be able to estimate the criticality of a vulnerability, we use the Common Vulnerability Scoring System (CVSS) in version 4.0 or alternatively Bugcrowd's Vulnerability Rating Taxonomy.

As you can see, we have defined different categories. Each category differs in terms of the criticality of vulnerabilities and the choice of targets. The amount of the premium for the respective category is largely determined by the criticality. A concrete risk was used as a basis for this. This is made up of the probability of occurrence and the extent of the damage. For each reported vulnerability, we evaluate the risk individually. If there are major deviations, the individual bounty can be reduced or increased. If a reported vulnerability affects several systems, the bounty is only paid out one time.

No reward is paid for vulnerabilities in third-party software and services.

Rules of Engagement (RoE)

Responsible Disclosure is a mandatory requirement. If you discover a vulnerability, report it to us immediately. We will investigate the vulnerability and will do our best to fix it as soon as possible. If you want to publish details about your find, contact us beforehand and wait for approval.

During your investigations, you handle the tested service carefully and do not limit its availability. You don't spy on, modify, download, delete, or share data. If you violate these rules, we are legally obliged to report it to the authorities. You don't want that – and neither do we. If you are unsure, please contact our bug bounty team.

Deutsche Telekom's bug bounty program is an open program. All but current and former employees of Deutsche Telekom AG and its affiliated companies as well as their relatives or legal representatives are eligible to participate. Minors need a written declaration of consent from a parent or guardian.

RoE Do's

  • Keep vulnerability details confidential
  • Publish vulnerabilities only after our explicit approval
  • Only scan systems that are within the scope of the program
  • If you discover personal data as part of your investigation, stop the attack immediately, delete the transferred personal data, and contact the bug bounty team
  • If you have any questions, please contact the bug bounty team

RoE Dont's

  • Do not scan systems that are out of scope
  • Don't limit the availability of the systems
  • Do not spy, modify, download, delete or share data
  • Don't carry out social engineering attacks
  • Do not attempt to gain physical access to Deutsche Telekom AG's infrastructure or data centers
  • Do not violate applicable law
  • Don't attack third-party systems

Communication and collaboration

Communication and collaboration are critical to the success of the bug bounty program. Keep us regularly updated on the progress of your investigations and share all relevant information with us in a timely manner. We value open and transparent communication and strive to do the same.

Contact: bugbounty@telekom.de

Acknowledgements

Acknowledgements

We would like to take this opportunity to thank all the important contributors who provide us with helpful tips and hints that help us make our systems more secure.

FAQ

Cookies and similar technologies

We use cookies and similar technologies on our website to save, read out and process information on your device. In doing so, we enhance your experience, analyze site traffic, and show you content and ads that interest you. User profiles are created across websites and devices for this purpose. Our partners use these technologies as well.


By selecting “Only Required”, you only accept cookies that make our website function properly. “Accept All” means that you allow access to information on your device and the use of all cookies for analytics and marketing purposes by Deutsche Telekom AG and our partners. Your data might then be transferred to countries outside the European Union where we cannot ensure the same level of data protection as in the EU (see Art. 49 (1) a GDPR). Under “Settings”, you can specify everything in detail and change your consent at any time.


Find more information in the Privacy Policy and Partner List.