Vulnerability Disclosure Management

Framework and rules

Reporting a vulnerability (Coordinated Vulnerability Disclosure, CVD)

  • Do not discuss the security vulnerability you have discovered with anyone other than the provider, the NCSC and BFH during the CVD process.
  • Do not publicly disclose the vulnerability before giving the affected parties sufficient time to resolve the problem or before reaching an agreement with everyone involved, including BFH.
  • After reporting a vulnerability, do not continue interacting with the system during the CVD process.
  • Do not leverage vulnerabilities to download, modify or delete data beyond what is necessary for a proof of concept.
  • Do not attempt to elevate privileges or explore a system beyond what is necessary for a proof of concept.
  • Do not exfiltrate any data belonging to other users; use only your own data for testing.
  • Do not attempt to use brute force or social engineering techniques to gain access to a system.
  • Do not use denial-of-service attacks.
  • Do not install malware or viruses.
  • If possible, your report should include the IP addresses you were using when you discovered the vulnerability. This will allow for a better assessment of potential exploitations and help reduce false positives.
  • Let BFH know if you plan to publicly disclose your observations (report, lecture, article, etc.).

What you can expect from BFH within the CVD programme

  • If a vulnerability in BFH’s systems is reported in line with the above rules, in good faith and without fraudulent or damaging intent, BFH will not take civil or criminal action against you.
  • You may submit your report anonymously.
  • BFH treats reports confidentially and will not disclose personal details of the reporting party or receiving organisation without their consent.
  • We will only name you as the person who reported the vulnerability if you give your consent.
  • You will receive confirmation of receipt within three working days of reporting the problem. BFH will validate the report within two working weeks.
  • If possible, BFH will update the reporting party on further developments and the resolution of the vulnerability.
  • If the vulnerability is publicly disclosed, BFH will coordinate the procedure with all parties involved.
  • BFH’s CVD programme does not currently offer compensation for reports.


  • KeyID: 0x99ACA09463FBB5B9
  • Fingerprint: 7156 83C8 E127 E90F 1067 7BAA 99AC A094 63FB B5B9


  • Fingerprint(sha256): FA:B9:18:A2:21:07:2C:58:35:4B:FD:DF:B5:29:3B:68:3E:FA:A1:24:14:C0:70:FC:49:62:4D:5C:EA:3A:21:92