Contact
+49 2554 9130 00
info@welotec.com

Coordinated Vulnerability Disclosure Policy

At Welotec GmbH, the security and integrity of our embedded devices and software solutions are paramount. We appreciate the role played by independent security researchers and our community in upholding high security standards. We encourage responsible reporting of any vulnerabilities found in our products or services.

 

Our Commitment

  • Prompt Responses: We acknowledge reports within three business days.
  • Thorough Investigation: We carefully analyze every report to assess its impact.
  • Confidentiality: We maintain strict confidentiality over all reported vulnerabilities.
  • Transparency: We provide regular updates throughout the vulnerability resolution process.

Guidelines for Responsible Disclosure

We request that researchers:
  • Detail the suspected vulnerability, including impact and reproduction steps.
  • Avoid accessing or modifying user data without consent.
  • Refrain from degrading our services or causing intentional harm.
  • Do not publicly disclose the issue until it has been resolved.

Scope

This policy covers:
  • All Welotec hardware products.
  • Software solutions by Welotec, regardless of their connection to our hardware.

Security Researcher Legal Protection

We firmly believe in and support the efforts of ethical hackers and security researchers. When you follow the guidelines for responsible disclosure outlined in this policy:
  • Legal Protection: We will not pursue legal action against individuals who report vulnerabilities in accordance with this policy. This includes bypassing technological measures to identify vulnerabilities, provided the research is conducted in good faith and does not cause harm.
  • Support and Communication: We work closely with the researchers to understand and resolve the issue swiftly.
  • Acknowledgement: We appreciate your efforts and will ensure you receive recognition for your contribution to our product's security.

How to Report a Vulnerability

To report vulnerabilities, contact us at psirt@welotec.com. For secure communication, we encourage using PGP encrypted email. Find our PGP public key here. Your report should include:
  • Detailed information about the vulnerability and exploitation methods.
  • Any prerequisites needed to exploit the vulnerability.
  • Affected products and/or software versions.
  • Your contact information for follow-up.

An alternative approach, should Welotec's services be unavailable at any time, is to directly contact VDE Cert via email or their contact form: https://cert.vde.com/de/.

Recognition

Contributors who report vulnerabilities responsibly will be acknowledged after verification and resolution.

Published Security Advisories

For transparency and to aid the community, we maintain a record of all resolved vulnerabilities. These records can be vital for users and researchers alike to understand the nature of vulnerabilities and their resolutions. Access our library of published security advisories at https://cert.vde.com/de/advisories/vendor/welotec/

We reserve the right to modify this policy as needed.