CSIRT MFSR exclusively handles cybersecurity incidents and vulnerabilities related to information systems, infrastructure, data, or misuse of the name of the Ministry of Finance of the Slovak Republic. Reports concerning incidents affecting private individuals or other institutions—especially financial fraud, online scams, or similar attacks that have no connection to the Ministry of Finance of the Slovak Republic—do not fall within the competence of CSIRT MFSR and will not be processed.
Vulnerabilities can be reported in the following ways:
by email to the official address “incident (at) mfsr.sk” (preferred reporting method),
by phone at +421 2 5958 5000 (during working hours only, or in the case of critical incidents by prior arrangement),
via secure communication channels (e.g., PGP-encrypted email).
If necessary, please include attachments in your email communication, and in the case of sensitive information, please use encryption with our PGP key (asc, 4,77 kB)
When reporting vulnerabilities, we kindly ask you to provide as detailed a description as possible of the process by which you identified the vulnerability. This is to clearly distinguish your activity from that of potential attackers who may have exploited the vulnerability.
When reporting a vulnerability, please include in particular the following information:
Detailed structure of a vulnerability report:
Minimum required information:
Information about the reporting person:
contact details, including options for secure communication (e.g., PGP key).
Information about how the vulnerability was identified:
exact date and time, or time interval of interaction with the service/device,
method of discovery:
visited pages,
IP address(es) used to access the vulnerable device/software,
any custom scripts or server requests used.
Information about the vulnerability:
as detailed a description as possible – type of vulnerability, what actions/attacks it enables, and how it can be exploited (proof of concept),
type of device/software affected and its exact version,
whether the vulnerability has already been reported elsewhere (e.g., to the vendor, CVE assignment, etc.).
Additional information:
Information about the vulnerability:
in case of a vulnerable system configuration, a precise and unambiguous description of the configuration,
estimated severity of the vulnerability (e.g., using CVSS) and its potential impact if exploited,
if possible, information about related patches and updates,
any other relevant information related to the vulnerability.