Report Covid Certificate system test results

Describe your observation/test result in as much detail as possible, as this will allow us to recreate your experience and correct it as quickly as possible. Ideally, your report should consist of a detailed description and the respective effects. You can also upload additional elements such as screenshots.

Please note that we cannot accept general questions on using the app or media enquiries via the form below.

Report test results

Summary/keyword

*

Brief description of the vulnerability (max. 250 characters).

Description

*

Describe your observation in as much detail as possible to help us reproduce the problem and fix it as quickly as possible.

Impact

Describe the impact of the vulnerability. What is affected if the vulnerability is exploited?

Mitigation

If available, a mitigation approach can be described here.

File Upload

Please use ASCII-text (for example Markdown), pdf or png files for the documentation.

Scope and rules of engagement of the public security test.

I accept the scope and the rules.

*

Personal information (optional)

You can enter your personal information here. This will enable us to contact you if we have further questions . You can also indicate whether we may publicly mention your name as the discoverer.

Name

First name

Nickname/alias

Nickname/alias: this name will appear in the credits.

Email

PGP-Key

You can attach your PGP public key here.

Phonenumber

I would like you to publish my name on this page together with the result.

Definition severity level

The severity level can be determined using the Common Vulnerability Scoring System (CVSS). The FIRST (Forum of Incident Response and Security Teams) website provides an interactive tool for this purpose: https://www.first.org/cvss/calculator/3.0.

Critical (CVSS v3 score: 9.0-10.0): Critical incidents typically do not require any interaction by the person targeted. Accordingly, an attacker does not need any special knowledge about a target. Remote code execution is typical for a critical incident. Repercussions include the outflow of personal data or the loss of anonymity.

High (CVSS v3 score 7.0-8.9): User actions (social engineering) are necessary for successful exploitation. The attacker can thus gain extensive privileges. Repercussions can include data outflows here too.

Medium (CVSS v3 score: 4.0-6.9): Only limited access is gained in the event of exploitation. Moreover, the attacker must be in the same system as the victim. Data is not affected or only to a limited extent.

Low (CVSS v3 score: 0.1-3.9): Functionality and data are not affected. Layout errors and spelling mistakes are also in this category.