Vulnerability
Disclosure
Policy

Introduction

Hager Group follows a secure by design approach for its connected products and services.


This vulnerability disclosure policy is part of this approach. It describes how you can report cyber security and privacy vulnerabilities in Hager Group products and services. It also explains what we do after we receive your report. 


Please read this policy fully before you report a vulnerability and always act in compliance with it.


We value your time and effort for reporting security vulnerabilities to keep our products safe and secure. However, we do not have a bug bounty program and we do not offer monetary rewards to reporters.



Find all advisories
Report a vulnerability

How to report a vulnerability?

If you believe you have found a vulnerability relating to one of our products, an associated application or service, or a Hager Group website, please submit a vulnerability report using the dedicated form below.

Please note that Hager Group internal infrastructure is out of scope.

Your report must contain the following information:

  • Your email address and your name (optional) for coordination purposes. We will use the information you provide only to contact you and acknowledge you (if you agree). For further information, please see our privacy notice.
  • The vulnerable assets and the configuration used to discover the vulnerability: information on the product, service or website that contains the vulnerability. For example: name, version, serial number, IP address, URL, etc.
  • A description of the vulnerability and its possible impacts. If you can, please list the possible root causes to your findings.
  • The steps to reproduce the vulnerability. This could be a list of steps or commends that we can use to verify and triage the vulnerability.

What happens next?

Our goal is to resolve all vulnerabilities within 90 days.

We will keep you informed of our progress throughout this process.

Report submitted

Response to your report

Up to 1 week

Triage

Up to 1 month

 

Remediation

We will update you every 2 weeks and you will have the possibility to confirm the resolution of issues before we publish the fix.

 

Fix published and advisory

90 days after submission

(if no embargo)

If you accept it, we will acknowledge you in our (joint-)advisory and in our acknowledgements webpage.

of

Guidance

Please respect the following guidance when reporting a vulnerability. Hager Group will not pursue legal action against researchers following this policy.

You must:

  • Submit a vulnerability report with all the relevant details.
  • Collaborate with our team by answering any requests we may have on your report within 1 week.
  • Always respect the applicable laws and regulations.
  • Agree to not publicly disclose a reported vulnerability until after a fix or mitigation has been released and you have received permission to disclose.

You must not:

  • Demand financial compensation to disclose a vulnerability.
  • Rely on social engineering, phishing or physical attacks against our staff or our infrastructure.
  • Attempt to disrupt services or systems in production. Please refrain from using high-intensity invasive or destructive scanning tools to find vulnerabilities in hosted systems. NEVER perform denial of service attacks.
  • Modify data in systems or services without prior authorization.

Report a vulnerability

I want to be aknowledged

 

 

 

 

Receive a copy by email

 

 

 

 

By submitting this form, I affirm that I have read and accepted the privacy policies of Hager Group. I acknowledge that the data collected by Hager Group will be used for informational and contact purposes, as well as for acknowledgment, in accordance with GDPR.

* Mandatory

Thank you, you request has been sent. We will answer you as soon as possible.