Report Covid Certificate system test results

Describe your observation/test result in as much detail as possible, as this will allow us to recreate your experience and correct it as quickly as possible. Ideally, your report should consist of a detailed description and the respective effects. You can also upload additional elements such as screenshots.

Please note that we cannot accept general questions on using the app or media enquiries via the form below. 

Report test results

Brief description of the vulnerability (max. 250 characters).
Description severity level: see below on this page.
Describe your observation in as much detail as possible to help us reproduce the problem and fix it as quickly as possible.
Describe the impact of the vulnerability. What is affected if the vulnerability is exploited?
If available, a mitigation approach can be described here.
Please use ASCII-text (for example Markdown), pdf or png files for the documentation.

Personal information (optional)

You can enter your personal information here. This will enable us to contact you if we have further questions . You can also indicate whether we may publicly mention your name as the discoverer. 

Nickname/alias: this name will appear in the credits.
You can attach your PGP public key here.

Definition severity level 

The severity level can be determined using the Common Vulnerability Scoring System (CVSS). The FIRST (Forum of Incident Response and Security Teams) website provides an interactive tool for this purpose:

Critical (CVSS v3 score: 9.0-10.0): Critical incidents typically do not require any interaction by the person targeted. Accordingly, an attacker does not need any special knowledge about a target. Remote code execution is typical for a critical incident. Repercussions include the outflow of personal data or the loss of anonymity.

High (CVSS v3 score 7.0-8.9): User actions (social engineering) are necessary for successful exploitation. The attacker can thus gain extensive privileges. Repercussions can include data outflows here too.

Medium (CVSS v3 score: 4.0-6.9): Only limited access is gained in the event of exploitation. Moreover, the attacker must be in the same system as the victim. Data is not affected or only to a limited extent.

Low (CVSS v3 score: 0.1-3.9): Functionality and data are not affected. Layout errors and spelling mistakes are also in this category.


Last modification 23.01.2023

Top of page