Vulnerability Disclosure Policy

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.

This policy applies to the bilfinger.com and bilfinger.net domains and all of their respective subdomains. Systems covered by this policy are limited to those that are operated or controlled by Bilfinger and are publicly accessible via the Internet. Systems hosted under these domains or subdomains that are operated by third parties, as well as systems that are not publicly accessible (e.g. internal networks, internal-only DNS, intranet services, or VPN-restricted systems), are out of scope.

• Low‑impact, non‑disruptive security testing, meaning activities that:
  • operate at normal browsing or low‑automation levels
  • do not reduce system availability
  • do not interfere with other users
• Manual testing of public endpoints
• Using test accounts (if available)
• Identifying security-relevant misconfigurations
• Responsible and private reporting

• Any form of Denial of Service (DoS), including Distributed DoS (DDoS)
• High intensity or abusive automated scanning, including:
  • excessive parallel requests
  • high frequency crawling
  • tool settings causing service degradation
• Social engineering, phishing, or physical intrusion
• Uploading malicious payloads
• Accessing internal systems or networks
• Modifying or deleting any website content, including HTML, CSS, JavaScript, images, or other assets
• Accessing personal or confidential Information

1. Stop testing immediately
2. Do not continue interacting with the affected system
3. Do not store, copy, or process any retrieved data
4. Report the incident to cyber@bilfinger.com

• Intentional execution of prohibited activities results in loss of Safe Harbor protection and may lead to legal action.
• Accidental triggering of a prohibited area MUST be reported immediately and will remain protected under Safe Harbor if done in good faith.

If personal or confidential information is encountered:

1. Stop testing immediately
2. Do not store, copy, or process the information
3. Report the incident to cyber@bilfinger.com

• Authentication and authorization weaknesses
• Broken access control / IDOR
• Injection vulnerabilities
• XSS
• SSRF
• Session handling issues
• Misconfigurations with exploitability
• Business logic flaws

• Missing security headers
• SPF/DKIM/DMARC reports
• Version disclosures
• Rate-limiting suggestions
• Clickjacking without exploitability
• Best-practice-only recommendations

Reports MUST be sent to cyber@bilfinger.com.
Reports SHOULD include description, reproduction steps, affected components, and PoC (if available).

Researchers acting in good faith and following this policy SHALL NOT face legal action. This protection does not apply to misuse, data theft, disruption, or violations of law. Security researchers act independently and are not authorized users, processors, or joint controllers on behalf of Bilfinger under applicable data protection law.

Bilfinger SHALL acknowledge reports within 5 business days. Remediation timelines MAY vary.

Researchers MUST NOT publicly disclose vulnerabilities earlier than 90 days after reporting and ONLY after coordination with Bilfinger.
 

Bilfinger does not provide monetary rewards. Valid reports MAY be acknowledged publicly.

Bilfinger MUST comply with the legal requirements of the Federal Republic of Germany, in particular the German Data Protection Act (BDSG) and the General Data Protection Regulation (GDPR). Germany SHALL be considered the standard jurisdiction for all legal and security assessments. Bilfinger processes personal data submitted in vulnerability reports (e.g., contact details and communications) for the purposes of receiving, assessing, and remediate security issues based on its legitimate interest in ensuring IT security (Art. 6(1)(f) GDPR).