Vulnerability Disclosure Policy
If you find vulnerabilities in the IT systems of Groz-Beckert or one of its subsidiaries, please report them to us. We will take immediate action to eliminate them as quickly as possible.
The Vulnerability Disclosure Policy of Groz-Beckert may not be used without consent to prepare or pass on vulnerability reports in third-party programs.
Procedure
- Before you send us a report, please first check whether it falls within the scope of application. (Information on the scope of application can be found below)
- Fill out the form at the bottom of the page or send your findings on the vulnerability found by e-mail to bugs@groz-beckert.com
- Encrypt your documentation with our PGP key to prevent this sensitive information from falling into the wrong hands. You can find the current key at PGP key - ZIP, 0.00 MB
- To make communication between you and us as easy as possible, please use the format specifications or the form at the bottom of the page
Please observe the following instructions / regulations
- The vulnerability must not be actively exploited, for example by downloading, modifying or deleting data or uploading code.
- Information about the vulnerability may not be passed on to third parties or institutions unless this has been approved by the Groz-Beckert KG Information Security department.
- Attacks on our IT systems that compromise, change or manipulate the infrastructure and/or persons may not be carried out.
- Likewise, no social engineering, phishing, (distributed) denial of service or other attacks on Groz-Beckert KG and its subsidiaries may be carried out.
- Please provide us with sufficient information so that the problem can be reproduced and analyzed.
- Please also provide a contact option for queries.
- Usually, the address or URL of the affected system and a description of the vulnerability are sufficient.
- In the case of complex vulnerabilities, further explanations and documentation are required.If the affected system is a service hosted in the cloud, the possible specifications of the respective cloud provider must also be observed.
Our commitment
- Our aim is to rectify the vulnerability as quickly as possible.
- We will provide you with feedback on the vulnerability you have reported and the report.
- While the vulnerabilities are being processed, you will also be informed about the validity and rectification.
- Your report and your personal data will be treated confidentially. No data will be passed on to third parties without your consent.
- We will not inform law enforcement authorities about your findings, provided you follow the instructions. If there are clear criminal or intelligence intentions, legal action will be taken.
Vulnerabilities in the scope of application
Typical examples are:
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference
- Remote Code Execution (RCE)
- Information Leakage and Improper Error Handling
- Unauthorized access to systems, services, databases or accounts
This also includes:
- Data/information leaks
- Possibility of exfiltration of data / information
- Actively exploitable backdoors
- Possibility of unauthorized system use
- Misconfigurations
- Outdated software products with critical vulnerabilities
Vulnerabilities outside the scope
The following vulnerabilities do not fall within the scope of Groz-Beckert's Vulnerability Disclosure Policy:
- Attacks that require physical access to a user's device or network.
- Forms with missing CSRF tokens (exception: criticality exceeds Common Vulnerability Scoring System (CVSS) level 5).
- Missing security headers that do not directly lead to an exploitable vulnerability.
- The use of a library known to be vulnerable or publicly known to be broken (without active evidence of exploitability).
- Reports from automated tools or scans without explanatory documentation.
- Social engineering against persons or facilities of Groz-Beckert KG or one of its subsidiaries
- Denial of Service attacks (DoS/DDoS (Distributed Denial of Service)).
- Bots, SPAM, mass registration.
- No submission of best practices (e.g. certificate pinning, security header).
- Use of vulnerable and "weak" cipher suites / ciphers.
Format requirements for reporting vulnerabilities
Note for the submission of reports: Vulnerabilities can generally be submitted in both German and English.
Please use the form at the bottom of this page or the following structure.
- Name of the vulnerability
- Type of vulnerability
- Brief explanation of the vulnerability (no technical details)
- Affected product / service / IT system / device
- Manufacturer
- Product version
- Version / Model
- Exploitation technique
- Remote
- Local
- Network
- Physical
- Authentication type
- Pre-Auth
- User Privileges (None / User / Admin)
- User interaction
- No interaction necessary
- User interaction required
- Technical details and description of the vulnerability
- Proof of concept
- Demonstration of a possible solution
- Author and contact details