Help us get better...
... and take part in Deutsche Telekom's bug bounty program. Data privacy and IT security are very important to us and with your contribution you help us to become even better. If you find a vulnerability, let us know and qualify for a reward. You can find the general conditions for participation here.
Found a vulnerability? Then send us:
- A description of the vulnerability
- A reasoned assessment of the criticality and the type of vulnerability
- A proof-of-concept (PoC) to prove exploitability
- Suggestions on how to fix the vulnerability
Rewards
The premiums quoted are based on a specific risk. For each reported vulnerability, we evaluate the risk individually and thus determine how much reward we will pay:
To be able to estimate the criticality of a vulnerability, we use the Common Vulnerability Scoring System (CVSS) in version 4.0 or alternatively Bugcrowd's Vulnerability Rating Taxonomy.
As you can see, we have defined different categories. Each category differs in terms of the criticality of vulnerabilities and the choice of targets. The amount of the premium for the respective category is largely determined by the criticality. A concrete risk was used as a basis for this. This is made up of the probability of occurrence and the extent of the damage. For each reported vulnerability, we evaluate the risk individually. If there are major deviations, the individual bounty can be reduced or increased. If a reported vulnerability affects several systems, the bounty is only paid out one time.
No reward is paid for vulnerabilities in third-party software and services.
Rules of Engagement (RoE)
Responsible Disclosure is a mandatory requirement. If you discover a vulnerability, report it to us immediately. We will investigate the vulnerability and will do our best to fix it as soon as possible. If you want to publish details about your find, contact us beforehand and wait for approval.
During your investigations, you handle the tested service carefully and do not limit its availability. You don't spy on, modify, download, delete, or share data. If you violate these rules, we are legally obliged to report it to the authorities. You don't want that – and neither do we. If you are unsure, please contact our bug bounty team.
Deutsche Telekom's bug bounty program is an open program. All but current and former employees of Deutsche Telekom AG and its affiliated companies as well as their relatives or legal representatives are eligible to participate. Minors need a written declaration of consent from a parent or guardian.
RoE Do's
- Keep vulnerability details confidential
- Publish vulnerabilities only after our explicit approval
- Only scan systems that are within the scope of the program
- If you discover personal data as part of your investigation, stop the attack immediately, delete the transferred personal data, and contact the bug bounty team
- If you have any questions, please contact the bug bounty team
RoE Dont's
- Do not scan systems that are out of scope
- Don't limit the availability of the systems
- Do not spy, modify, download, delete or share data
- Don't carry out social engineering attacks
- Do not attempt to gain physical access to Deutsche Telekom AG's infrastructure or data centers
- Do not violate applicable law
- Don't attack third-party systems
Communication and collaboration
Communication and collaboration are critical to the success of the bug bounty program. Keep us regularly updated on the progress of your investigations and share all relevant information with us in a timely manner. We value open and transparent communication and strive to do the same.
Contact: bugbounty@telekom.de