The image shows the process for findings in context with possible vulnerabilities: There are 3 important questions: "Is it merely a misconfiguration?", "Does a patch exist?" and "Is a PoC publicy known?". If your answer to every or at least a few questions is "yes", your finding doesn't fit with BSI's understanding of coordinated vulnerability disclosure. Nevertheless, we appreciate if you send your finding to certbund@bsi.bund.de. If the answer to all of these questions is "no", you are welcome to deliver your information via mail to vulnerability@cert-bund.de or via the reporting form on our website. If some of these questions can't be answered so far, please try some more research yourself.