Coordinated disclosure policy
Coordinated Vulnerability Disclosure Policy of the Voith Group
Our Security Policy
Voith operates a multi-layered security concept to ensure IT security and data protection in all our products and systems. This security concept is regularly checked, among other things, by our certifications, e.g. ISO 27001.
Should you nevertheless discover security problems or vulnerabilities in our applications or systems, please inform us. We will take immediate action to remedy the vulnerability found as quickly as possible.
How to report a vulnerability
Please send all relevant findings via email to security@voith.com. You can encrypt this email with our PGP key to protect this sensitive information from third parties. Alternatively, please contact us by phone at +49-(0)7321-37-2222, quoting "Coordinated Disclosure".
Please provide us with sufficient information so that we can reproduce and analyze the problem.
As complex issues may require queries, we also ask you to provide us with a way of contacting you.
We request that you do not use the discovered vulnerability for this purpose, for example by downloading, modifying, deleting data, uploading code or giving information about the weakness to third parties.
Services in scope
In scope are any Voith- Voith-related digital services. This includes, amongst other, virtually all the content in the following domains:
*.voith.com
*.voith.de
*.voith.net
*.myvoith.com
*.voith.io
Reports on services not operated on behalf of or under responsibility of Voith are welcome but do not qualify vulnerability in scope of this policy.
Qualifying vulnerabilities
We expect that any vulnerability you report to us will have a valid attack scenario.
Any issues that affect the confidentiality, integrity or availability of our systems and information is likely to be in scope, such as:
- Authentication or authorization flaws,
- Cross-site scripting,
- Server-side code execution bugs
Non-qualifying vulnerabilities
We generally review reports regarding to their impact on a case-by-case basis, this means some of the reported issues may not qualify; such as:
- Known events: we proceed with the ‘first-come-first serve’ principle, so no multiple reporting. This includes vulnerabilities already known from internal security tools or employees.
- Compliance violation: in case vulnerability research and related information gathering is violating any laws, no reward will be paid.
- Vulnerabilities in “sandbox” domains: if there is no impact on sensitive data which can be demonstrated or requiring exceedingly unlikely user interaction.
- Version information that does not expose the service to attacks and is seen only as information gathering, as part of further potential exploits.
- Email spoofing (e.g. @voith.com) as we are aware of this general risk.
- General attack methods regarding the availability of our services to all users; like (D)DOS attempts.
What we promise
We will inform you about the receipt of your report, furthermore we will keep you informed about relevant results of the internal processing.
We will take appropriate countermeasures as soon as possible to close the reported vulnerability.
We will treat your report and related information strictly confidentially and will not disclose your personal data to third parties without your consent.
We will not take any legal action against you. This does not apply in cases of recognizable criminal or intelligence intentions.
The reporter is judged according to his or her abilities and not according to personal aspects such as age, gender, origin, education or social rank.
We show this respect and gratitude to every reporter by documenting the closed vulnerability in the corresponding documentation or news of the item concerned. If you wish, this can also be done by mentioning your name (or alias).
We currently have no general bug bounty program. There is expressly no legal claim to a reward. Decisions in this regard are subject to Voith's sole discretion.
Voith GmbH & Co. KGaA
PGP Key for secure communication
Please note this key is not published on public keyservers to avoid spam/phishing emails.