Vulnerability Disclosure Policy

Statement

ondeso manufactures various products that offer you reliability and quality. Despite the greatest care and extensive testing during the creation of ondeso products, they may still contain weaknesses. Since we place the highest value on the security of our products in the production environments of our customers and partners, we stand for an open exchange and trustworthy communication as well as prompt risk minimization.

Policy

If you have found a vulnerability in ondeso products, please notify us so that we can review and assess it and provide a solution as soon as possible. A notification of the vulnerability should be made directly to ondeso in a secure way as shown here as part of the ‘Responsible Disclosure’.

Guidelines

The focus should be on finding vulnerabilities without compromising customer data, privacy and service availability.

• If you are investigating production systems, please do your best to protect them from degradation, avoid service outages, protect privacy, and do not irreversibly alter or destroy data.
• If you reach a point during the investigation where the above points can no longer be ensured, please stop there and contact us immediately so that we can take care of it immediately and thus protect our customers, partners, you and us.

If vulnerabilities are found, please give us the opportunity to fix them as part of the ‘Responsible Disclosure’ process so that any potential damage that could also result from the vulnerability can be prevented. We process every qualified report with the necessary care and strive to provide feedback as soon as possible.

Vulnerability reporting procedure

1. Inform yourself about the scope for vulnerability reporting.

2. Send an encrypted email to the following address: Vulnerability@ondeso.com using PGP public key (fingerprint: 0159 6A97 2113 C416 1942 6719 DCF8 AB3E 9D9C BA2C).

Message template:

Product name*
Product version*
Instruction for the reproduction of the issue*
Further relevant information
Contact details (optional)
Name
Email address

Fields marked with * are mandatory fields.

3. Do not share the information with third parties

Commitments for vulnerability reportings

We try to fix the vulnerabilities as soon as possible or provide suitable measures to minimize the risk. You will receive feedback from us regarding the validity of the reported vulnerability as well as the planned further procedure.

As a matter of principle, we treat your report confidentially and do not pass on your data to third parties.

Qualified report

Any design, implementation or deployment issue that affects the security of ondeso products can be reported.

Scope

Valid for all ondeso products.

Non-qualified vulnerabilities

The following vulnerabilities are not within the scope of the Vulnerability Disclosure Policy:

• General vulnerabilities of (IT) systems and their operating system
• General bugs in libraries / cipher suites / algorithms / protocols etc. already publicly known to be insecure
• Messages without explicit explanation of applicability
• Social engineering, phishing etc. against ondeso employees or ondeso customers / partners
• (Distributed) Denial of Service attacks on ondeso IT systems or ondeso customers / partners