Responsible Disclosure Policy

image

Responsible Disclosure Policy

Information, data and its supporting processes, information systems and networks are vital to the business of Bühler and our customers and other business partners. The preservation of confidentiality, integrity and availability of valuable information is a major aspect to value the trust our customers and business partners place in us. If you found security issues or vulnerabilities, we would be very happy if you report them to us. The following document describes the framework on how such reporting and responsible disclosure is defined for Bühler.

+

Reporting

The Bühler Information Security team is the point of contact for such reports and can be reached at security[at]buhlergroup.com.

When reporting security weaknesses please include the following elements:

  • Type of vulnerability.
  • Exact description of the vulnerability and the affected elements/assets.
  • A clear description of why you think it is a security issue or vulnerability.
  • Additional helpful information such as steps to reproduce the issue, screenshots, proof of concept scripts and similar.

Guidelines

To encourage responsible disclosure, we ask all researchers to comply with the following general guidelines:
 

  • Bühler has enough time (min. 60 days) to verify a report and to implement a fix. Do not disclose any information during this time to thirds or the public without our approval.
  • Any testing activity must not impair Bühler services and products. Do not run “denial of service” attacks/tests.
  • Do not obtain, modify, or destroy any potential sensitive information when an identified vulnerability allows you to do so.
  • Do not provide reports from automated scanners without manual verification of the vulnerability.
     

If you follow these guidelines we commit to:
 

  • Not pursue or support any legal action related to your research.
  • Work together with you to understand and remediate the issue quickly including an initial confirmation of your report within 5 days of submission.
  • Consider bounty depending on the criticality of the finding and the affected information/system/service but in any case, if the finding is in-scope of this policy and if you wish so, we will add you to our hall of fame below. This applies if you were the first one reporting the issue and the issue is not already known to us.

Scope

In-Scope Vulnerabilities

Any issue that affects the confidentiality or integrity of information in a comprehensible way (end to end) is likely to be in-scope. Examples are:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Authentication or Authorization Flaws
  • SQL injection (SQLI)
  • Remote Code Execution (RCE)
  • Local or Remote File Inclusions

 

Out-of-Scope Vulnerabilities

The following are considered out of scope and will not be rewarded:

  • Outages due to “denial of service” attacks.
  • Errors which do not affect the confidentiality, integrity or availability of information or the related service/asset or do not pose a direct security risk.
  • Leak of non-critical information.
  • DNS records such as SPF, MARC, DKIM.
  • Logout Cross-Site Request Forgery.
  • TLS/SSL certificate related issue such as weak ciphers or outdated protocols.
  • Issues only exploitable with “clickjacking”.
  • Vulnerabilities that require a victim to install non-standard software or otherwise take active steps to make themselves be susceptible.
  • Vulnerabilities which include/require social engineering of our employees or customers.
  • Attacks requiring physical access to a device or system.
  • Hypothetical attack chains where an identified vulnerability only together with an assumed/hypothetical situation would lead to a security issue.
  • Missing cookie flags on non-sensitive cookies.
  • Missing http security headers which do not lead directly to a vulnerability.
  • Presence of banner or version information unless correlated with a vulnerable version.

Hall of Fame

The following people have reported valid security issues and helped us make Bühler more secure.
 

Credits Date Description
Ravindra Dagale October 2021 Reported a vulnerable, outdated component in a web application.
Yunus Yildirim October 2021 Reported a valid vulnerability in a web application.
Mohammed Eldawody August 2021 Reported four valid findings with well documented explanations.