Comment by fossislife
2 hours ago
As a German I fear the only way I can see one of our government agencies to react upon an external pentesting report is if you threatened to release data from it, anyway (this is not a recommendation, please don't raid my home). I just do not see them fixing even a dangerous bug if a stranger came along and told them to.
Thats far from reality. Just use the online form of BSI for disclosure. They contact the affected party for you. This way you optionally can stay anonymous and the vulnerabilities get fixed because BSI appears as the messenger.