Vulnerability Disclosure Policy (VDP)
As the National Administration of Liechtenstein, we value the important role of independent security researchers who act ethically to ensure the security of our own data, as well as that of the population and our customers. We therefore welcome reports of vulnerabilities in the digital assets we own, operate, or maintain.
As a public sector entity, the National Administration of Liechtenstein qualifies as an "essential entity" under Art. 3 para. 2 lit. a no. 4 of the Cybersecurity Act (CSG, LGBl. 2025.111) and must implement appropriate and proportionate technical, operational, and organisational risk management measures to control risks to the security of network and information systems and to prevent or minimise the impact of security incidents (Art. 4 para. 1 CSG). This VDP serves as one of those measures.
This Policy outlines the steps for reporting vulnerabilities. Please read the Policy carefully before testing our systems for security gaps or submitting a report. We are committed to working proactively with security researchers to validate and remediate reported vulnerabilities.
All publicly accessible digital assets owned, operated, or maintained by the National Administration of Liechtenstein (this includes the eID.li app for iOS & Android available in the AppStore & Google Play).
Please note that we use services from other companies and/or organizations for some parts of our systems and infrastructure.
Vulnerabilities discovered or suspected in those systems should be reported to the appropriate entity, vendor or applicable authority. Otherwise, we will bring the vulnerability to the attention of the relevant organization, the owner of the affected IT system remains responsible for the system and potential remediation activities, however.
When working with us, according to this policy, you can expect us to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Work with you to understand and validate your report
- An open dialog to discuss issues
- Work to remediate discovered vulnerabilities in a timely manner
- Provide an estimated time frame for addressing the vulnerability report
- Strive to keep you informed about the progress of a vulnerability as it is processed
- Notify you when the vulnerability has been fixed
- Recognize your contribution if you are the first to report a unique vulnerability, and your report triggers a code or configuration change
- Provide a legal Safe Harbor for your vulnerability research that is related to this policy
When participating in our vulnerability reporting program, we ask you to:
In participating in our vulnerability disclosure program, we ask you to:
- Play by the rules and instructions described in this policy
- Don’t breach any applicable laws in connection with your report and your interaction with us
- Report any vulnerability you’ve discovered promptly
- Don’t exploit or use in any manner the discovered vulnerabilities other than for the purposes of reporting to us
- Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience
- Use only the official disclosure channels to discuss vulnerability information with us
- Ensure the confidentiality of details of any discovered vulnerabilities according to this policy
- If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; cease testing and submit a report immediately
- You should only interact with test accounts you own or with explicit permission from the account holder
- Do not engage in extortion
- Provide us a reasonable amount of time to resolve the issue
- Coordinate with us before disclosing vulnerabilities publicly
If you gain access to personal or confidential data during testing, do not intentionally access, store, copy, publish, or share such data with third parties. Limit access to the minimum technically necessary to demonstrate the vulnerability and inform us immediately. Treat all such data confidentially and use it solely for reporting purposes.
While we encourage you to report to us any vulnerabilities you find, the following conduct however is prohibited:
- Performing actions that may negatively affect our systems or our customers (e.g. phishing, spam, brute force, denial of service, etc.)
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on our personnel, property, buildings or infrastructure
- Social engineering our employees, customers or contractors
We value the effort of external security researchers who identify security vulnerabilities and disclose those vulnerabilities responsibly so that they can be fixed. Our policy is to allow publication, provided the following conditions are met (Coordinated Vulnerability Disclosure):
- The reporting individual does not publish the vulnerability prior to us confirming a fix has been released and that it is acceptable to publish
- A publication is always considered acceptable after 120 days, coordination with us assumed
- No publication of exact details of the issue, for example exploits or Proof-of-Concept code
Please report security issues via this platform, providing all relevant information. Do not submit reports from automated tools without verifying them. The more of the following details you provide, the easier it will be for us to triage and fix the issue:
- Technical description of the vulnerability, including:
- Browser information (type and version) used
- Relevant information about connected components and devices
- Impacted platform(s) URL(s)
- Sample code to demonstrate the vulnerability and/or detailed steps to reproduce
- Threat/risk assessment
- Date and time of discovery
- Contact information
- Possible disclosure plans
Please note that these channels are for reporting undisclosed security vulnerabilities only and must not be used for any other support or information requests. Inquiries sent there that do not relate to undisclosed security vulnerabilities will not receive any response.
The Legal Safe Harbor described and granted below applies only if your activities remain within the defined scope and are conducted in accordance with the expectations and rules outlined herein. It is further required that you act in good faith—meaning solely with the intention of responsibly identifying and reporting vulnerabilities, without intentionally causing harm, disclosing confidential or secret information, or impairing systems beyond what is necessary to demonstrate the vulnerability. Actions beyond these boundaries may void the protection provided by the Legal Safe Harbor.
We will not take legal action or refer complaints to law enforcement authorities against participants in this program for unintentional violations of this policy, provided that such actions were taken in good faith.
We consider the activities of participants, as long as they are carried out in good faith, responsibly, and in accordance with this policy, to constitute authorized access under the Liechtenstein Criminal Code. This includes, for example, §§ 118a, 119, 119a, 126a, 126b, 126c, 131a, and 225a of the Criminal Code (LGBl. 1988.037). In the case of offenses requiring authorization to prosecute (§§ 118a, 119, and 119a of the Criminal Code), the Office for Information Technology will not grant such authorization. With regard to other offenses, which must be prosecuted ex officio, the Office for Information Technology will not file charges against participants who attempt to circumvent implemented security measures in order to protect the services named in this policy.
If legal proceedings are initiated by a third party against a participant who has acted in accordance with this policy, we will take the necessary steps to inform the relevant authorities (e.g., national police, public prosecutor, data protection authority) that the actions of the participant were in line with this policy. This includes, for instance, reference to § 126c para. 2 of the Criminal Code, which states that participants who act in compliance with this policy voluntarily prevent the unlawful use of computer programs, comparable devices, passwords, etc., or reduce or eliminate the risk of unlawful use within the meaning of §§ 118a, 119, 119a, 126a, 126b, 126c, or 148a of the Criminal Code.
In the case of minor violations of this policy, a warning may be issued. In cases of serious violations, we are obligated to file a report, which may lead to prosecution by the public prosecutor.
As always, you are required to comply with all applicable laws. If at any point you have concerns or are unsure whether your testing and activities comply with this policy, please submit a report through one of our official channels before proceeding with your activities.
Please note that the Legal Safe Harbor only applies to legal claims under the control of the organization participating in this policy and does not bind independent third parties.
This policy is governed by the laws of Liechtenstein. The exclusive place of jurisdiction for all disputes arising from or in connection with this policy is Vaduz, Liechtenstein.
The Office for Information Technology and the National Administration of Liechtenstein assume no liability for any damages, losses, or costs you may incur in connection with your testing or vulnerability reporting. This includes, but is not limited to, direct or indirect damage to your systems, software, data loss, loss of profit, or consequential damage.
You are responsible for ensuring your testing does not improperly affect our systems or third parties. For damages caused by actions outside the defined scope or in violation of this Policy, we reserve the right to pursue legal action and seek compensation.