Menu

Company

Help us to become better

Bug Bounty

...and find weak spots in our domains that nobody has noticed yet. We have put a bounty on bugs and are hunting them with our Bug Bounty program. Every bug you report can be worth cash. The amount of the bounty depends on the significance of the vulnerability for data privacy and security.

Relevant for the Deutsche Telekom AG Bug Bounty program are vulnerabilities in domains and subdomains at *.telekom.de, *.telekom.net, *.telekom.com and *.t-systems.com.

Anyone with additional information is always welcome - but should not expect a reward. Bug Bounty@Deutsche Telekom AG is an open program. Only current and former employees of Deutsche Telekom AG and its affiliated companies as well as their relatives or legal representatives are not allowed to participate. Minors require a declaration of consent.

We expect responsible disclosure

This much fairness has to be and belongs to good manners: Before you make found vulnerabilities public, we have enough time to react and fix the error. The error will therefore remain among us for as long as possible - no information to third parties. 

In the course of your investigations, you handled the tested service with care and did not restrict its availability. You did not spy, modify, download, delete or share any data. If you do, we may be forced by law to report you to the authorities. You don't want that - and neither do we.

How do I get the bonus?

You have followed our rules and reported a vulnerability that was not previously publicly known. It must be the first submission about this vulnerability. You have used real, own accounts. Access to third party account data without their consent is not desired. You found the flaw without using scanner tools. The vulnerability must not be based on an outdated third party software component. 

If you submit the bug to us, we need an example (unique request or PoC code) and a description. Please indicate which browser you have used and how it is configured.

Rewards are currently available for: 
Remote Code Execution vulnerabilities and SQL Injection vulnerabilities.

Until further notice, awards will not be given for: 
XSS vulnerabilities, CSRF vulnerabilities and RFI/LFI vulnerabilities.

Please report only one vulnerability per email. In order to be able to pay out the award, we need more information from you.

Required information for award payment. (pdf, 538.6 KB)

Acknowledgements

Acknowledgements

We would like to take this opportunity to thank all the important contributors who provide us with helpful tips and hints that help us make our systems more secure.

Acknowledgements

FAQ

Cookies and similar technologies

We use cookies and similar technologies on our website to save, read out and process information on your device. In doing so, we enhance your experience, analyze site traffic, and show you content and ads that interest you. User profiles are created across websites and devices for this purpose. Our partners use these technologies as well.


By selecting “Only Required”, you only accept cookies that make our website function properly. “Accept All” means that you allow access to information on your device and the use of all cookies for analytics and marketing purposes by Deutsche Telekom AG and our partners. Your data might then be transferred to countries outside the European Union where we cannot ensure the same level of data protection as in the EU (see Art. 49 (1) a GDPR). Under “Settings”, you can specify everything in detail and change your consent at any time.


Find more information in the Privacy Policy and Partner List.