Coordinated Vulnerability Disclosure Policy
At Welotec GmbH, the security and integrity of our embedded devices and software solutions are paramount.
We appreciate the role played by independent security researchers and our community in upholding high security standards.
We encourage responsible reporting of any vulnerabilities found in our products or services.
- Prompt Responses: We acknowledge reports within three business days.
- Thorough Investigation: We carefully analyze every report to assess its impact.
- Confidentiality: We maintain strict confidentiality over all reported vulnerabilities.
- Transparency: We provide regular updates throughout the vulnerability resolution process.
Guidelines for Responsible Disclosure
We request that researchers:
- Detail the suspected vulnerability, including impact and reproduction steps.
- Avoid accessing or modifying user data without consent.
- Refrain from degrading our services or causing intentional harm.
- Do not publicly disclose the issue until it has been resolved.
This policy covers:
- All Welotec hardware products.
- Software solutions by Welotec, regardless of their connection to our hardware.
Security Researcher Legal Protection
We firmly believe in and support the efforts of ethical hackers and security researchers. When you follow the guidelines for responsible disclosure outlined in this policy:
- Legal Protection: We will not pursue legal action against individuals who report vulnerabilities in accordance with this policy. This includes bypassing technological measures to identify vulnerabilities, provided the research is conducted in good faith and does not cause harm.
- Support and Communication: We work closely with the researchers to understand and resolve the issue swiftly.
- Acknowledgement: We appreciate your efforts and will ensure you receive recognition for your contribution to our product’s security.
How to Report a Vulnerability
To report vulnerabilities, contact us at firstname.lastname@example.org. For secure communication, we encourage using PGP encrypted email. Find our PGP public key here.
Your report should include:
- Detailed information about the vulnerability and exploitation methods.
- Any prerequisites needed to exploit the vulnerability.
- Affected products and/or software versions.
- Your contact information for follow-up.
Contributors who report vulnerabilities responsibly will be acknowledged after verification and resolution.
Published Security Advisories
For transparency and to aid the community, we maintain a record of all resolved vulnerabilities. These records can be vital for users and researchers alike to understand the nature of vulnerabilities and their resolutions. Access our library of published security advisories at https://cert.vde.com/de/advisories/vendor/welotec/
We reserve the right to modify this policy as needed.