Siemens Vulnerability Handling and Disclosure Process

PREFACE

Siemens is committed to help ensuring the safety and security of their customers’ facilities. Siemens follows a holistic and comprehensive approach to secure its products, solutions, services, and IT infrastructure. Siemens has formalized a process for handling reported security vulnerabilities in its product portfolio and IT infrastructure.

Siemens is prepared to work in good faith with individuals that submit vulnerability reports through ways described in section “Contact Information”. Siemens openly accept reports for currently listed Siemens products, solutions, and Siemens IT infrastructure. Siemens maintains a Hall of Thanks to credit individuals that ethically report security issues in Siemens' product, solutions, services, or infrastructure. Siemens does not intend to engage in legal action against individuals who:

  • Engage in testing of systems/research without harming anyone.
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc. 
  • Adhere to the applicable laws and comply with all applicable software license requirements. 
  • Perform coordinated disclosure, i.e. refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
  • Avoid impact to the safety or privacy of anyone. In regards to medical products, particularly avoid impact to the safety or privacy of patients. 

Process Description

VULNERABILITY HANDLING AND DISCLOSURE PROCESS

The vulnerability handling process consists of the following four steps at Siemens: 

image

1. Report

To report a security vulnerability affecting a Siemens product, solution or infrastructure component, please contact Siemens using the ways described in section “Contact Information”. Siemens usually responds to incoming reports within one business day (reference: Munich, Germany).

Please report the following information:

  • Description of vulnerability, including proof-of-concept exploit code or network traces (if available) 
  • Affected product, solution or infrastructure component, including model and firmware version (if available) 
  • Publicity of vulnerability (was it already publicly disclosed?) 

Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status. Siemens welcomes vulnerability reports from researchers, industry groups, CERTs, partners and any other source as Siemens does not require a nondisclosure-agreement as a prerequisite for receiving reports. Siemens respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to Siemens products, solutions or infrastructure components. Siemens urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts Siemens’ customer systems at unnecessary risk. Those systems comprise significant parts of the worldwide critical infrastructure. 

2. Analysis

Siemens investigates and reproduces the vulnerability. If needed, Siemens will request more information from the reporter.

3. Handling

Siemens performs internal vulnerability handling in collaboration with the responsible development groups. National and Governmental CERTs having a partnership with Siemens ProductCERT may be notified about a security issue in advance. During this time, regular communication is maintained between Siemens and the reporting party to inform about the current status and to ensure that the vendor’s position is understood by the reporting party. If available, pre-releases of software fixes may be provided to the reporting party for verification.

4. Disclosure

After the issue was successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be developed and prepared for distribution. Siemens will use existing customer notification processes to manage the release of patches, which may include direct customer notification, or public release of a security advisory containing all necessary information on the Siemens CERT Services website (see section “Contact Information”).

A Siemens Security Advisory usually contains the following information:

  • Description of the vulnerability with CVE reference and CVSS score 
  • Identity of known affected products and software/hardware versions 
  • Information on mitigating factors and workarounds 
  • The location of available fixes 
  • With the reporting party’s consent, credit is provided for reporting and collaboration. 

History

V1.0 (2012-06-08):           Publication
V1.1 (2013-06-21):           Adjusted Contact Information
V1.2 (2013-11-05):           Updated PGP key and fingerprint
V1.3 (2014-05-07):           Updated SMIME key and fingerprint
V1.4 (2014-11-14):           Fixed typographical errors
V1.5 (2015-03-11):           Updated SMIME key and fingerprint
V1.6 (2015-10-14):           Updated PGP key and fingerprint
V1.7 (2016-02-22):           Removed SMIME key and fingerprint
V2.0 (2017-10-17):           Updated PGP key and fingerprint; Refined parts of the process and extended disclosure policy to contain information on legal posture

Contact & Information

Get In Touch with Siemens ProductCERT

 

Feel free to contact us in any security-related question on the Siemens portfolio or infrastructure, and particularly if you want to report a potential security issue.

 

Please bear in mind that only emails composed in English or German can be considered, and encrypted communication is preferred. You can expect us to respond till the next business day.

Siemens ProductCERT - Contact for Products, Solutions, and Services

PGP Public Key and Fingerprint: 7F04 6EDA 338E 6D94 A3AA 4974 BB67 95EA 8E55 D52E

Email productcert@siemens.com

Siemens CERT - Contact for Infrastructure

PGP Public Key and Fingerprint: A3D1 8E40 D104 DEAD A112 3FF6 B485 0E2E 1AA2 2CD8

Email cert@siemens.com

Siemens ProductCERT - Contact for Products, Solutions, and Services

PGP Public Key and Fingerprint: 7F04 6EDA 338E 6D94 A3AA 4974 BB67 95EA 8E55 D52E

Email productcert@siemens.com

Siemens CERT - Contact for Infrastructure

PGP Public Key and Fingerprint: A3D1 8E40 D104 DEAD A112 3FF6 B485 0E2E 1AA2 2CD8

Email cert@siemens.com