Welcome to the Bug Bounty program of BurdaForward!

We are committed to improving digital security; and that’s why we need YOU! 
In our vulnerability report program, we reward every researcher, who is following our rules, for bringing up flaws, vulnerabilities and bugs in our services with a monetary “bounty” and / or a ranking in our Hall of Fame!

Hall of Fame

Maciej Nowak

Ankit Thakur (Rudra16)
Hari Prasad

Rajesh Tewari

Tinu Tomy

Kunal Bahl

Shankar Acharya

Berk Dusunur


Hemant Singh Manral


Foysal Ahmed Fahim

Rohit S. Pathak 

Ahmed Tuhin

Kunal Mhaske

Marco Senkbeil


Soundar.M (From tamilNadu)

Nishant N. Lungare(royniss 8990)

Mubassir Patel


Manjesh S

Chan Nyein Wai

Himanshu Sondhi 

Haris Mamoun
Amit Kumar
Yassine Nafia

Aamir Usman khan

Saurabh Siddharam Sanmane

Vaibhav Bahuguna


Responsible Disclosure:

  • Please note that the evaluation and review process will be given sufficient time.
    You will be notified as soon as your eligible report has been reviewed and evaluated.
  • You did not perform any attack that could harm the reliability / integrity of our services or data
  • Publication of an unfixed bug or personal information of users is not eligible and can lead to legal actions against you

In-Scope Domains


In-Scope applications

FOCUS Online – Nachrichten
Im Google Play Store
Im App Store

FOCUS Online – Top Nachrichten
Im Google Play Store

​​CHIP – News, Tests & Beratung
Im Google Play Store

Im Google Play Store
Im App Store

Finanzen100 Börse & Aktien
Im Google Play Store
Im App Store

Währungsrechner – Finanzen100
Im Google Play Store
Im App Store

Im Google Play Store
Im App Store

Out-of-Scope vulnerabilities:

  • Reflected XSS
  • DDos Attacks
  • Spamming
  • Phishing
  • Social Engineering
  • Physical Access to one of our devices or facilities
  • Bugs, which have no security impact 
  • Self – XSS
  • Default files available via web (e.g. README.txt, CHANGES.txt, etc.)
  • HTTP 404 codes / pages or other non-200 codes / page
  • CSRF on forms that are available to anonymous users, for example contact forms
  • Disclosure of known public files or directories (e.g. robots.txt)
  • HTTPS mixed content scripts
  • TLS /SSL
  • http security headers
  • Open Redirects
  • Vulnerability Third-Party (e.g. CDN)
  • Missing SPF or DMARC records 
  • Automatic scan results without an eligible PoC
  • Bugs requiring exceedingly unlikely user interaction
  • Clickjacking-related 
  • Subdomains, which are not in our administration
  • DoS
  • Bruteforce


Also, NOT eligible:

  • Reporting an already publicly disclosed vulnerability
  • Accessing a user’s account without their consent
  • The probability of your exploit is low
  • Reports, which do not follow the rules of an eligible report


Reporting policy

Important: Your report must be sent via an encrypted email.
Emails without encryption are not compliant with our eligible report policy and will not be reviewed.

An eligible report contains:

  • Only ONE eligible vulnerability per report
  • A title (including vulnerability type and the domain or subdomain)
  • A concise description of reproducible steps (screenshots may be helpful)
  • A realistic concept of the exploitability and its impact
  • Application report: Add your OS and its version
  • Optional: Your (nick)name and a link to your twitter / XING / GitHub or website you want to be displayed in our Hall of Fame
  • NOTE:  Your report must be reproducible and precise! 



The minimum reward for every eligible report is a mentioning in our Hall of Fame. 
Reward payment amounts are based on the severity, impact and quality of your report. 
The recipient is responsible for the correct taxation of his reward. No PayPal, only bank transfer in case of reward

Einreichen Deines Berichtes

  • Send an encrypted E-Mail to security@burda-forward.de   containing your eligible report using our Public PGP-Key.
  • Entries are only valid if you give your real name to prevent fraud (first + last name)

If you have any further questions, feel free to contact us at security@burda-forward.de 
Please note that our scopes are not static and can be updated at any time.

Status: 03.03.2021