Newer
Older
# Security Vulnerabilities
The Corona-Warn-App is built with security and data privacy in mind to ensure your data is safe.
## Reporting
We are grateful for security researchers and users reporting a vulnerability to us, first. To ensure that your request is handled in a timely manner and non-disclosure of vulnerabilities can be assured, please follow the below guideline.
**Please do not report security vulnerabilities directly on GitHub. GitHub Issues can be publicly seen and therefore would result in a direct disclosure.**
* Please address questions about data privacy, security concepts, and other media requests to the corona-warn-app.opensource@sap.com mailbox.
* For reporting a vulnerability, please use the Vulnerability Report Form for Security Researchers on [SAP Trust Center](https://www.sap.com/about/trust-center/security/incident-management.html).
* Please select "Corona-Warn-App" in the _product_ list.
* In the _versions_ field, either note the specific [release version](https://github.com/corona-warn-app/cwa-app-android/releases) or commit id of the master branch you investigated.
* The affected repository should be mentioned in the _vulnerability description_.
* Please use this channel only for reporting vulnerabilities of the _cwa-app_ component and check the security of the respective repositories for other components.
## Disclosure Handling
SAP is committed to timely review and respond to your request. The resolution of code defects will be handled by a dedicated group of security experts and prepared in a private GitHub repository. The project will inform the public about resolved security vulnerabilities. For more information on the disclosure guidelines, please consult [SAP security information page](https://www.sap.com/about/trust-center/security/incident-management.html).