Vulnerability Disclosure Policy

We welcome reports from security researchers and experts about potential weak points in our IT systems. We are particularly interested in receiving information about security vulnerabilities which could damage the confidentiality or integrity of user information or user systems, or which could be exploited to surreptitiously obtain BERNMOBIL services.

Vulnerability Disclosure Policy

If you think you have discovered a potential security vulnerability in the BERNMOBIL’s IT systems, please contact us using the linked form. In your report, please submit information and detailed instructions which will enable our security team to recreate the problem.

Scope

Any public-facing system owned by BERNMOBIL such as öV Plus or Libero Webshop are as well in scope.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

How to report security vulnerabilities to BERNMOBIL

To submit a vulnerability to BERNMOBIL, please use the linked form.
Alternatively you can send us your report using this Email: [email protected] 

What we would like to see from you:
•    Well-written reports in German or English.
•    Describe in detail how you found the bug.
•    Include a proof of concept.
•    Reports out of the scope list will most likely be ignored.
•    Do not submit reports from automated tools without verifying them.
What you can expect from us:
•    A timely response to your report (within 5 business days).
•    An open dialog to discuss issues.
•    An expected timeline for patches and fixes (usually within 180 days).

Preferences

In order to protect our customers and services, please do not publicize or share any information about a potential vulnerability.
BERNMOBIL does not permit the following types of security research:
•    Performing actions that may negatively affect BERNMOBIL or its customers (e.g. social engineering, phishing, spam, denial of service).
•    Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
•    Social engineering any BERNMOBIL employee, contractor or customer.
•    Using vulnerability testing tools that automatically generate significant traffic.
Please note: Have you found any public transport-related security vulnerabilities and weak points that are unrelated to our IT systems? Please report such instances here as well, and we will pass on your report.