Favor utilizar outro navegador

Parece que você está usando um navegador que não é totalmente compatível. Por favor, note que podem haver restrições na exibição do site e em sua usabilidade. Para uma melhor experiência, sugerimos que você faça o download da versão mais recente de um navegador compatível:

Internet Explorer, Chrome Browser, Firefox Browser, Safari Browser

continuar com o navegador atual

VULNERABILITY HANDLING PROCESS

VULNERABILITY HANDLING PROCESS

A vulnerability handling process typically consists of the following four steps at Siemens:

 

image

1. Report

The vulnerability is reported by an external party to Siemens ProductCERT. Please contact us using the ways described in Section “Contact Information”. We respond to incoming reports within one work day.

 

Please report the following information:

  • Description of vulnerability, including proof-of-concept exploit code or network traces (if available)
  • Affected product, including model and firmware version (if available)
  • Publicity of vulnerability (Was it already publicly disclosed?)
  • If a large amount of data needs to be submitted, we are able to offer an easy-to-use service for data transfer

Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports directly from researchers, industry groups, CERTs, partners and any other source as we do not require a non-disclosure-agreement for the report to be in place. We respect the interests of the reporting party (also anonymous reports if requested) and agree to handle any vulnerability that is reasonably believed to be related to our products or services. We strongly urge reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts our customers’ systems at unnecessary risk. Those systems comprise significant parts of the worldwide critical infrastructure.

2. Analysis

Siemens ProductCERT internally investigates and reproduces the vulnerability. If needed, we request more information from the reporter.

3. Handling

Siemens ProductCERT performs internal vulnerability handling in collaboration with the responsible development groups. CERT teams having a partnership with us may be notified about the problem upfront.

During this time, regular communication is maintained between Siemens ProductCERT and the reporting party to inform about the current status and to ensure that the vendor’s position is understood by the reporting party. If available, pre-releases of software fixes may be provided to the reporting party for verification.

4. Disclosure

After the issue was successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be implemented and prepared for distribution. Siemens ProductCERT will then release an advisory that contains all necessary information on our website (see Section “Contact Information” below).

 

The advisory usually contains the following information:

  • Description of the vulnerability with CVE reference and CVSS score
  • Identity of known affected products and software/hardware versions
  • Information on mitigating factors and workarounds
  • Timeline and the location of available fixes
  • With the reporting party’s consent, credit is provided for reporting and collaboration.

History

V1.0 (2012-06-08):         Publication

Contact & Information

Get In Touch with Siemens ProductCERT

Feel free to contact us in any security-related question on the Siemens portfolio and particularly if you want to report a potential security issue. In the Services section you will find information on how we work and additional industry best practices.

Security Vulnerability Handling Process

If you want to know more on how Siemens handles security vulnerabilities, have a look at the following document.

LINK

Frequently Asked Questions

The following document collects questions raised to Siemens ProductCERT on a regular basis.

LINK

Industry Best-Practices

Many industries and countries have issued best practices and guidelines. In the following you can find a subset we are aware of.

LINK

Security Vulnerability Handling Process

If you want to know more on how Siemens handles security vulnerabilities, have a look at the following document.

LINK

Frequently Asked Questions

The following document collects questions raised to Siemens ProductCERT on a regular basis.

LINK

Industry Best-Practices

Many industries and countries have issued best practices and guidelines. In the following you can find a subset we are aware of.

LINK