The Corona-Warn-App is built with security and data privacy in mind to ensure your data is safe.
We are grateful for security researchers and users reporting a vulnerability to us, first. To ensure that your request is handled in a timely manner and non-disclosure of vulnerabilities can be assured, please follow the below guideline.
Please do not report security vulnerabilities directly on GitHub. GitHub Issues can be publicly seen and therefore would result in a direct disclosure.
Important: From June 1, 2023 onwards, please report a vulnerability, address questions about data privacy, security concepts, and other media requests by contacting CoronaWarnApp@rki.de! For transparency reasons, you can find the reporting procedure that was in place until May 31, 2023 below.
- For reporting a vulnerability, please use the Vulnerability Report Form for Security Researchers on SAP Trust Center.
- Please select "Corona-Warn-App" in the product list.
- In the versions field, either note the specific release version or commit id of the master branch you investigated.
- The affected repository should be mentioned in the vulnerability description.
- Please use this channel only for reporting vulnerabilities of the cwa-website component and check the security of the respective repositories for other components.
The CWA-Team is committed to timely review and respond to your request. The project will inform the public about resolved security vulnerabilities.