Deutsche Telekom runs its own Bug Bounty program to make its products more secure.
The Bug Bounty term comes from bounty hunting, in this case hunting for program errors. Notification of such errors can help eliminate security gaps.
Within the Deutsche Telekom Bug Bounty initiative, weaknesses in the following web portals including subdomains are relevant:
Further notifications are, of course, welcome at any time, but are excluded from the reward program.
The Deutsche Telekom Bug Bounty program is an open program. Excluded from participation, however, are the legal representatives, current and former employees of Deutsche Telekom and its affiliated companies as well as their relatives. Minors may only participate with the consent of their legal representative.
What do we mean by responsible disclosure?
- We have sufficient time to respond and rectify errors.
- As part of the security checks, you have undertaken all efforts to not restrict the checked service in its availability.
- You have not spied out and passed on any third-party data.
- You have not informed third parties of the weakness.
The following applies in order to be eligible for a reward:
- The weakness may not have been previously known publicly.
- It must be the first submission on this weakness.
- The Responsible Disclosure Policy must be observed.
- Real accounts may be used for the test; account data of third parties must not be accessed on any account without their consent.
- The weakness must have been found without using scanner tools.
- The weakness must not base on an outdated third party software component.
- A Bug Bounty submission must contain an example (unique request or PoC code) and description of the weakness. This closes the browser and possibly the browser settings with.
The amount of the respective reward is based on the size of the error and the vulnerable portal.
Relevant systems for Bug Bounty messages:
- The Bug Bounty program focuses exclusively on web portals of Deutsche Telekom AG in Germany.
- Within the Bug Bounty initiative, only weaknesses in web portals of the telekom.de domain (*.telekom.de) are relevant.
- We do, of course, welcome additional notifications at any time. A later expansion of the initiative is not ruled out.
What weaknesses should be reported? (Important, changes in the relevant bug classes starting 30th of December 2013)
- (Out of scope starting 30th of December 2013, nevertheless publication in Hall of Fame, of course) XSS weaknesses
- (Out of scope starting 30th of December 2013, nevertheless publication in Hall of Fame, of course) CSRF weaknesses
- (Out of scope starting 30th of December 2013, nevertheless publication in Hall of Fame, of course) RFI / LFI weaknesses
- Remote Code Execution weaknesses
- SQL Injection weaknesses
Please report only one error per each e-mail.
The amount of the relevant reward is based on the criticality of the error and the vulnerable portal.
For payment of an award please provide the following information:
Required information for award payment. (pdf, 42.1 KB)