G DATA CyberDefense AG and its subsidiaries (“G Data”) follow a responsible disclosure process for potential vulnerabilities and software anomalies (bugs). This includes vulnerabilities and bugs in computer and mobile software that is produced by G DATA, as well as vulnerabilities in online services, domains and websites that are maintained by G DATA.

During the investigation and mitigation of discovered vulnerabilities, G DATA follows the Vulnerability Handling Process. Engaging the appropriate personnel and resources at the right time to ensure that each reported vulnerability is validated and resolved. The process is considered complete when a mitigation solution has been developed and deployed and all relevant parties have been informed. For non-confirmed vulnerabilities, the process is considered complete once the reporter has been notified of the investigation results. In certain cases, the process may end without creating and deploying a mitigation solution – G DATA may choose to publish only the necessary information and mitigation instructions rather than implementing a fix.

G DATA communicates with vulnerability reporters at multiple stages if they provide their contact information. This includes confirming the receipt of reports, addressing clarification questions, requesting additional information/files, and similar interactions. More information is available in the "Response times" section of this document.

Good communication is important for vulnerability reporting. We encourage reporters to provide us with at least one valid contact option (preferably an email address) for any queries.

We emphasize clearly that all involved parties must treat each other with respect and that unlawful behavior within the EU, such as discrimination, sexism, racism, Nazism, glorification of violence, pornography, insults, defamation and slander, will not be tolerated.

Contact information - how to submit reports

G DATA provides multiple channels for reporting security vulnerabilities. Reports can be submitted anonymously. Encryption options are also available. For details, see the "Anonymous reporting" and "Encrypted communication" sections of this document. Our preferred languages are English and German.

Vulnerability reports should be sent via email to security@remove-this.gdata.de.

Our Privacy Policy can be found here.

The current contact information is valid until October 1, 2026.

Response times

Every vulnerability report is acknowledged within 7 days from the submission date. A unique tracking number is assigned to each report, and this number is shared with the vulnerability reporter.

Within the next 14 days, the reporter receives a notification whether a reported vulnerability is confirmed or not. If a vulnerability is already known to G DATA, the report is still going to be processed, and the reporter gets an appropriate notification.

In case a vulnerability cannot be reproduced in-house, G DATA may ask the reporter for additional details and files or extend the time to confirm a vulnerability. If the reporter does not reply within 30 days, then the submitted report can only be processed to a limited extent and may be closed without resolution.

Notifications will be sent to reporters only if they provide valid contact information. This is not possible for anonymous submissions. For details, see the "Anonymous reporting" section of this document.

In case a reporter wishes to receive an update on the status of a report's investigation, this can be done at any time by writing an email to security@remove-this.gdata.de and including the previously assigned tracking number.

A mitigation solution for a confirmed vulnerability will be made available within 90 days after the disclosure date. A security advisory may also be created and published on our website. The reporter will be informed once a mitigation solution is released, and the version number of the fixed product will be provided in the reply. However, in certain situations G DATA may decide not to disclose a reported vulnerability, but mitigation options may be still be made available.

According to responsible disclosure practices, G DATA asks vulnerability reporters not to publish information about a reported vulnerability within 120 days after the submission date. This will allow us to create a mitigation solution and to let our customers deploy the fixed version on their end.

Anonymous reporting

Communication between G DATA and vulnerability reporters is important. However, each report can also be submitted anonymously, without specifying the contact information. Anonymous reports can be submitted to security@remove-this.gdata.de from a “burner” email address (temporary email address provider).

G DATA will not track any reporters and there will be no legal action for reporting bugs or vulnerabilities in our products and services. The exception to this is a clear criminal intent, such as attempted extortion.

Please note that anonymous reports can only be processed to a limited extent due to missing contact options to request additional technical details. In addition, if no contact information is provided, G DATA will not be able to acknowledge received reports and will not be able to send gifts of appreciation for confirmed vulnerabilities.

If a reporter expects a reply from G DATA on their submission, they should provide a valid email address or/and a telephone number. This contact information may also be used by G DATA to request additional information or files needed to reproduce a vulnerability. Dispatching a reward for confirmed vulnerability reporting will require valid contact information.

Encrypted communication

Encryption is not required but recommended for vulnerability reporting. We recommend using PGP encryption. G DATA's public PGP key can be downloaded from our website.

PGP key's information:

Download location: https://secure.gd/7fa16f

Key-ID: 1064 044F 2D4 E7B5

Fingerprint: EB66 89E9 9C8D 9B0F 472F 037B 1064 044F 2D4E 7B5B

The security.txt file is encrypted with the same PGP key.

Any freely available software that allows PGP encryption, for example OpenPGP, may be used to encrypt a submission. Alternatively, a password-protected ZIP archive can be used for securely transmitting proof-of-concept and other relevant files.

Code of conduct

• When disclosing a potential vulnerability, please keep PoC (proof-of-concept) files and information related to a vulnerability secret for at least 120 days after the initial reporting date.
• Do not disclose any communication with G DATA to any third party or to the press within 120 days after the initial disclosure date; if communication with G DATA is disclosed after 120 days, please make sure to remove all employee's names and contact information from screenshots and email bodies.
• Internal information and/or files obtained from G DATA during the reproduction of a vulnerability must never be shared with any third party or the press; this also includes any customer data and/or files.
• Do not resubmit the same report if you don't receive an immediate reply from us; please wait a few days for our confirmation email. We will reply to all reports within 7 calendar days.
• When submitting a vulnerability report to G DATA, please do not submit the same report to other security organizations: let G DATA handle the report responsibly. G DATA will notify necessary authorities if required by law.

Precautions for vulnerability researchers

• When testing a potential vulnerability, do not perform DoS (denial of service) attacks on G DATA's websites or infrastructure and do not disrupt any of our online services.
• Do not use network tools that generate a large amount of traffic, otherwise your report will be disqualified.
• Do not attempt to access real customer accounts or attack real customer software. Always use your own test account and software (for example a trial version from G DATA's website).
• Do not use real customer data or email addresses to reproduce a vulnerability. Please create your own set of data and email address for testing purposes.

We will, nonetheless, treat reports from non-compliant entities to the best of our ability.

Rewarding Policy

G DATA does not provide monetary rewards. However, we send gifts of appreciation to vulnerability reporters by tracked mail. Please note that dispatching a reward will require the reporter's name and a valid shipping address.

• G DATA sends gifts of appreciation via tracked mail. The recipient is responsible for paying all necessary local and import taxes if they are applied in the destination country.
• In case of a serious violation of the "Code of conduct", the reporter may be disqualified and will not receive a reward.
• The reward is granted only for vulnerabilities that are confirmed by our security specialists after an internal investigation.
• Confirmed serious vulnerabilities (for example escalation of privilege, bypassing protection mechanisms, remote code execution, access to internal/confidential data, any kind of bad "injection" like SQL-injection or code-injection) will result in a higher-level reward. Please keep in mind that G DATA is the sole authority to determine the severity of reported vulnerabilities. We will maintain a fair and objective approach in all our assessments.
• The reward will not be granted if the reported vulnerability is already known to G DATA or has already been previously communicated to G DATA.
• Reports concerning missing security-related HTTP headers or DNS records that do not directly result in a real vulnerability will not be rewarded.
• Broken links on G DATA's website or minor user interface bugs in our software do not qualify for a reward.
• Please do not send reports generated by automated web vulnerability scanners, as these are generally unhelpful and will not be eligible for a reward.