PSIRT

Everybody is invited to report on potential security vulnerabilities - apart from our direct customers, this also includes experts, scientists, CERTs (Computer Emergency Response Teams), authorities, industrial associations, suppliers, consultants, plant operators and of course internal staff.

Reporting to the AUMA PSIRT is made via the PSIRT@auma.com e-mail address created for this purpose.

Since some of our products are deployed in critical infrastructures, we would like to ask you to consult us prior to disclosing security vulnerabilities. This shall avoid any hazards related to the security situation in installations until our R&D teams have defined and provided appropriate counter measures for elimination or mitigation.

To collaborate with us for disclosing security vulnerabilities, neither a non-disclosure agreement (NDA) nor any other contract is required. We aim to cooperate on a confidential and professional basis with the respective reporters when dealing with potential security vulnerabilities related with AUMA products and services.

When sending your e-mail, please provide the following details to ensure speedy processing:

• Name of reporter: If you wish to remain undisclosed, we shall respect your interests
• Contact details: E-mail and phone number to contact you for any questions or feedback
• Assignment: Name of your organisation (e.g. company name)
• Type of security vulnerability: Description of the type of security vulnerability (e.g. XSS, buffer overflow, hard coded access data ...)
• Trigger of the security vulnerability: Description how the security vulnerability can be triggered (tools, processes, procedures, proofs, ...)
• Affected product: In which AUMA products or services was the security vulnerability detected? Please fill in any available information like product designation with order or serial number, firmware or software version, if applicable the operating system of affected components and indicate the location for services (e.g. URL)
• Impact of the security vulnerability: Please describe how the attacker could take advantage of a security vulnerability and which impacts would be entailed.
• CVSS evaluation: Evaluation of the security vulnerability in compliance with Common Vulnerability Scoring System (CVSS) - if known.
• Confidentiality of security vulnerabilities: Was the security vulnerability already disclosed or are there any plans for disclosure?
•  

Please send us your report either in German or English.

Information on safety vulnerabilities is critical. For this reason, we kindly would like to ask you to send encrypted messages. Please use the following PGP key to encrypt your information when transmitting to PSIRT@auma.com.

AUMA PSIRT Public Keys

Link to download our PGP key:

Fingerprint: 64F97ED5674E7BF923018ED87788765AF3FF7089

Analysis and solution

A standardised processing process is introduced upon receipt of your notification. AUMA PSIRT shall acknowledge receipt of the reported security vulnerability, evaluate and analyse the transmitted references and coordinate the required investigations and activities for identifying a solution - this is made in close cooperation with the reporter of the security vulnerability.

Disclosure

Security advisories for AUMA products and services shall be published on the publicly accessible IT security platform CERT@VDE, which has been created for coordinating security vulnerabilities specifically for companies in industrial automation.

Security guidelines