Company

Help us to become better

Bug Bounty

...and find weak spots in our domains that nobody has noticed yet. We have put a bounty on bugs and are hunting them with our Bug Bounty program. Every bug you report can be worth cash. The amount of the bounty depends on the significance of the vulnerability for data privacy and security.

Relevant for the Deutsche Telekom AG Bug Bounty program are vulnerabilities in domains and subdomains at *.telekom.de, *.telekom.net, *.telekom.com and *.t-systems.com.

Anyone with additional information is always welcome - but should not expect a reward. Bug Bounty@Deutsche Telekom AG is an open program. Only current and former employees of Deutsche Telekom AG and its affiliated companies as well as their relatives or legal representatives are not allowed to participate. Minors require a declaration of consent.

We expect responsible disclosure

This much fairness has to be and belongs to good manners: Before you make found vulnerabilities public, we have enough time to react and fix the error. The error will therefore remain among us for as long as possible - no information to third parties. 

In the course of your investigations, you handled the tested service with care and did not restrict its availability. You did not spy, modify, download, delete or share any data. If you do, we may be forced by law to report you to the authorities. You don't want that - and neither do we.

How do I get the bonus?

You have followed our rules and reported a vulnerability that was not previously publicly known. It must be the first submission about this vulnerability. You have used real, own accounts. Access to third party account data without their consent is not desired. You found the flaw without using scanner tools. The vulnerability must not be based on an outdated third party software component. 

If you submit the bug to us, we need an example (unique request or PoC code) and a description. Please indicate which browser you have used and how it is configured.

Rewards are currently available for: 
Remote Code Execution vulnerabilities and SQL Injection vulnerabilities.

Until further notice, awards will not be given for: 
XSS vulnerabilities, CSRF vulnerabilities and RFI/LFI vulnerabilities.

Please report only one vulnerability per email. In order to be able to pay out the award, we need more information from you.

Required information for award payment. (pdf, 538.6 KB)

Acknowledgements

Acknowledgements

We would like to take this opportunity to thank all the important contributors who provide us with helpful tips and hints that help us make our systems more secure.

FAQ