Report a usd
vulnerability or bug

We make every effort to ensure the security of our websites, platforms and IT infrastructure components. Nevertheless, it may happen that you discover a weakness or bug in our systems. In this case we ask that you handle the vulnerability responsibly and report it to us for correction. For this purpose we have implemented a dedicated process below.

Disclosure guideline

We aim to fix reported vulnerabilities or bugs within 60 days. If the vulnerability is found in a third-party component, we will contact the responsible parties to arrange for its remediation. The following rules apply for reporting vulnerabilities and bugs:

We do not pay premiums for reported vulnerabilities.
Vulnerabilities may only be published in agreement with usd AG.
Do not violate applicable law and do not damage or compromise any data of usd and/or its customers or exploit any confirmed vulnerabilities.
In vulnerability reports, including any attachments, do not include information that could identify an individual (e.g., name, contact information)
To help us process vulnerability reports as quickly as possible, please ensure that you explain the steps required to reproduce the vulnerability in detail.

Legal & Conditions

By submitting vulnerabilities and/or proposed solutions (hereinafter referred to as “feedback”) to usd AG

you agree to avoid causing any damage to usd AG and/or its customers and therefore agree not to disclose any information until a fix and/or patch has been provided by usd; and
you agree that usd AG may use this feedback to update and/or improve its websites, platforms and IT infrastructure components; and
you grant usd AG the right to use your feedback for any purpose without restriction or compensation of any kind with respect to you and/or your representatives.

Have you discovered a vulnerability or bug?

Please inform us according to the guidelines specified above. Please use our registration form or contact us directly at incident-response-team@usd.de. For encrypted communication via email, we can offer either S/MIME or PGP. For exchanging data via email, we need your certificate or your public PGP key.

    Enter a short note or description that helps to identify the vulnerability or bug.

    Enter the components which are affected by the vulnerability or bug.

    Steps to reproduction

    Please use our web-based usd exchange platformfor the encrypted data exchange, e.g. for the Proof of Concept (PoC).

    You can find a secure data room here: https://transfer.usd.de/index.php/s/rZFqL6mLZkz4gR4.

    Information about the security researcher

    Detailed information on the handling of your user data can be found in our privacy protection.

    Input this code: captcha

    The responsible handling of found vulnerabilities has top priority for us. In accordance with our mission “more security”, we therefore inform manufacturers about vulnerabilities we have identified in standard products and publish them in a responsible manner.

    Would you like to join the good guys and make the IT world more secure? Become part of our team! Learn more.