Skip to content
Snippets Groups Projects
SECURITY.md 1.79 KiB
Newer Older
# Security Vulnerabilities

The Corona-Warn-App is built with security and data privacy in mind to ensure your data is safe.

## Reporting

We are grateful for security researchers and users reporting a vulnerability to us, first. To ensure that your request is handled in a timely manner and non-disclosure of vulnerabilities can be assured, please follow the below guideline.

**Please do not report security vulnerabilities directly on GitHub. GitHub Issues can be publicly seen and therefore would result in a direct disclosure.**

* Please address questions about data privacy, security concepts, and other media requests to the corona-warn-app.opensource@sap.com mailbox.
* For reporting a vulnerability, please use the Vulnerability Report Form for Security Researchers on [SAP Trust Center](https://www.sap.com/about/trust-center/security/incident-management.html).
  * Please select "Corona-Warn-App" in the _product_ list.
  * In the _versions_ field, either note the specific [release version](https://github.com/corona-warn-app/cwa-app-android/releases) or commit id of the master branch you investigated.
  * The affected repository should be mentioned in the _vulnerability description_.
  * Please use this channel only for reporting vulnerabilities of the _cwa-app_ component and check the security of the respective repositories for other components.

## Disclosure Handling

SAP is committed to timely review and respond to your request. The resolution of code defects will be handled by a dedicated group of security experts and prepared in a private GitHub repository. The project will inform the public about resolved security vulnerabilities. For more information on the disclosure guidelines, please consult [SAP security information page](https://www.sap.com/about/trust-center/security/incident-management.html).