HanseSecure Responsible Disclosure Policy

I responsibly identify vulnerabilities

HanseSecure identifies vulnerabilities in hardware and software products, even without a customer’s order. These are responsibly disclosed in the form of a blog post and an entry in the Common Vulnerabilities and Exposures (Responsible Disclosure).

Before publication, the manufacturer is informed in writing about this vulnerability. Provided that the vendor has provided a solution or 30 days after the vendor has been confidentially notified of the vulnerability (in the second case also without a solution or workaround), detailed information about the vulnerability will be published.

Provided that the manufacturer indicates in writing a justified extension of this deadline, this timeframe may be deviated from in consultation with the manufacturer and a date for the coordinated publication of the vulnerability may be agreed.

The aim of this policy is to inform the public about security vulnerabilities and, at the same time, to promote a fix for the vulnerabilities by the manufacturer.

HanseSecure offers manufacturers to test the product in question before the vulnerability is published in order to minimize the possibility of further vulnerabilities.

This policy is guided by the Coordinated Vulnerability Disclosure Guidance.