Within the scope of security analyses of software and hardware products, we regularly discover unpublished vulnerabilities.
We strictly follow the following guidelines, which describe our approach to the Responsible Coordinated Disclosure Policy. Individual agreements remain unaffected by this.
- We document the vulnerability identified by us. We forward this information promptly to the manufacturer of the product concerned.
- We support the manufacturer as far as this seems possible and appropriate in the verification and in the elimination of the vulnerability.
- We verify the elimination of the vulnerability, if this is possible with reasonable effort.
- We support the manufacturer in the publication of the vulnerability. We request a mention of our support in identifying and, if necessary, rectifying the vulnerability.
- In principle, we reserve the right to publish found vulnerabilities within the following time frame:
- If the manufacturer does not react or refuses to correct the vulnerability, we will publish the vulnerability at the earliest 45 days after submission of the vulnerability report.
- Otherwise, we will not publish the vulnerability before 90 days have elapsed from the submission of the vulnerability report.
- In individual cases, the periods may be extended after appropriate review.
- Claims for a different procedure must be agreed in writing.