Kistler Group Vulnerability Disclosure Policy

Kistler Group welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

Systems in Scope

This policy applies to

• All products of the Kistler Group
• All internet-facing systems of the Kistler Group

• We do not consider the pure absence of a security feature a security vulnerability.
• We are not interested in findings which are commonly generated by automated scanners such as missing HTTP headers, TLS configurations, Cookie flags, Clickjacking, etc., except if you can use them to create a meaningful PoC exploit.

Out of Scope

General Out of Scope items

• Denial of Service Attacks
• Social Engineering
• Phishing
• Physical access to Kistler facilities or to facilities of Kistler partners
• Assets or other equipment not owned by parties participating in this policy

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Special Scope items

• www.kistler.com : Main Website, based on Typo3, we are only interested in critical vulnerabilities such as Remote Code Execution (RCE)

Our Commitments

When working with us, according to this policy, you can expect us to:

• Respond to your report promptly, and work with you to understand and validate your report;
• Strive to keep you informed about the progress of a vulnerability as it is processed;
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
• Extend Safe Harbor for your vulnerability research that is related to this policy.

Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

• Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
• Report any vulnerability you’ve discovered promptly;
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
• Use only the Official Channels to discuss vulnerability information with us;
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
• You should only interact with test accounts you own or with explicit permission from the account holder; and
• Do not engage in extortion.

Disclosure policy

Coordinated Disclosure: Vulnerability details may be shared with third parties after the vulnerability has been fixed and the Program Owner has provided permission to disclose.

Official Channels

Please use our official channels to report security issues, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

Official channels are:

• Bugcrowd Reporting Form https://bugcrowd.com/kistler-vdp
• PGP encrypted Email to security(at)kistler.com

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGBQmu0BEACmsvww2VIyQg8nnHe8YgpzL8SOLQ5SL3EWLxiddHQhCsIHXrQr
0r4X8OvKIRzCCIqzFx7n27JeM6onFPwmkeotQhEdtJkFlJtazzDoNrgqeZI8f9Ek
vjVRPRlO+/2bQcOBcYVn8oDHYdA65vSzEKyBy6CCJQVf5vc+DZp3rWWnr0HN7lt0
hYNIwLn9LkGFk80gQCm/qDlsJ6OrWyasTcX6uXqcQ0heUpdXUzLjiFfTyhnYsZlQ
A5NKAMWYj21gOj5J8doAojOOvLUPNKyOcdC9N+VJgQ7T8ecwS5CGGiOfvgwFDfmE
uU3AdnZHm39cOT15KQRCJAROUDxq1pnBJgdi9R+uG03FbLjs8HcDhGbLFijqVpb2
jPe1IuaRwJYwFmFS6nooaBt/1Sqs6Qh0kTiF0qQkfMF0I9QEl3mX1M0mm+FwuXWd
aqXQ0fhHKSKFi0JmaTOLh/tRnENWDfn4YCr/RvdDpx9ltv1tvSNn9HHFfVKPoDJx
LU+W4m0p28AHOFE9Xx/tpoba2TjjUEfORHqGJWYIvRrdBGAZ14/KlP0ZsvFbnyFq
E28fwmkiuLCjZQkCBENEQPqWNQf+RRhu8O76vz+/FlP+shm8ATzmteooM8yVnf/k
lBZ6DgdYNLoS3ibauJIUBpnJ+MElwJ143HUKntZGrc4Rc+EB6AZiu1lxhQARAQAB
tCdLaXN0bGVyIFNlY3VyaXR5IDxzZWN1cml0eUBraXN0bGVyLmNvbT6JAj4EEwEC
ACgFAmBQmu0CGwMFCRLLTwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMl3
J8Nl6/NEeb8P/iIcJ0u+iRS7xNMEDiJb9KF+RW5lrSoLTA3IZdjzwZA9b7rn9LI7
h5vldgooy0TDxJNU3pYQjhgrLaYcFyY/C3ZCg1YoeENKq/7WROaaNd/ZvLVubXnh
lL7ACFZqnN+0guo7bNziUSzT7uwU7qBQ5viWI1cWjyCJr0pUuiF6Doo5OclSzdPP
XKqzo1MS8X5Q5QTKcKpafTT0OsLni5v+Ga5JGgDf4Srex8Wbrh9uYxi36CzOxTxV
NTOZP91ERN5Ov6ICQxOJ1CxqEjKzDpmlRa7STGKHIGmICT9ETpITEF7dHSrBr3zv
vo1qAe/JSOL+zKf/6VKP71ZeVQFKzMJ7rCZJ/QniJpmB/pnnx/0Xqo6C/Ec63lZZ
YDPlzE07ZOX6evpUDClONnLPX+XdjAVYlLmLZ+uRoHc/pG78GGlWBGLlH2qYb4CL
xU7+mRUakN9WOBlZTrIqbmDD285y45NIQHATnt6FUbJYx1SUv3MjatBDdmvoYjKu
eLQwxwBwiWGG09h1wpC0Ap7acJziJB+Xns9psJK658hM8An5uQI1eKxSsv5RVSqA
d4Qw5sZwHM6LwYZWmrgGZpS/xc9D7ikeHo6QX/H25TJqaSjsm4fkYIbl73WACGRv
kTRR0HIY0cSY5GLvwv8eDM3LcoM4xvqkX1pqg6wSFDX5S1TjiB3ovbKXuQINBGBQ
mu0BEADKK8IitzC+Q3UCNFjq9rEIl82R+Vb7RTeCuJGfB4ELTbXcl1aU84vhenSm
OBzZx55u1QWIBjxospCorI0SGfso270Vvjss6a9T5Ww2ZCru1m5WZz3AmJHLHF92
E4g1MYsqWrO6O5kw1QUR6qy2D4XCLm4paWCtmpFsDDu8N7UqFDT7ODz0UP5KObqs
lgWBUKitRPX+YywDqKxXBYUsVqVGgZ1XHll60PfqxzLJnZzuTXNfNVC9xY2KNJ+a
SjpVeV649pBxwsqPOcRHcH8APQ16lu6IKPMeNayMLQBKTKblzdmCWRrDWk3ZmvJ9
jaLToK9xbcDLLCuC4dh7cJqxLqjQFQC/uRURjdIWLhjw7p6gX366a4oziT8PuLqJ
gO1ceu5SEo68Z8PoPcUR8L3ObvsKmPDrtvJVhv5efHee+FAILrlkxDAe5gyh/0XE
YbWLvE1Y7QswMJ8tkAkt+d4y7RfIMWDeh2rg4MjQj852Vl4f8VaKI3zJC9ESXvm1
r36L5sL0QJ1xYJSvCoGL0OI82ocAnnWEqbeD23RglRp3Xzem9Tzbef9mc21BX8xz
JHiqzBRi26MwYAp9kwc/GThGTQeW9qtVIfVQqvFiMpyYjP219A0EbVY9z7lYWjYl
tvftLesBvWzG+PvirhR6gP931LOFW2X+EZrSRxBk+8qGomZb7wARAQABiQIlBBgB
AgAPBQJgUJrtAhsMBQkSy08DAAoJEMl3J8Nl6/NEZLYP/3+gDcaQQGuWDeHXVuG8
DeJ0y1BxEak7uCVGRweVVoq0eaWiHS0YUC9wrKnilUauNF+yoAcCu4YvvLwk4ide
lIyg/Ut2YwA0urLIR47+ikQx+p9gbp9AWFqPibs8VKOd8vYXaHLbvIwfezeiuoYA
nIESLtu3iZx5sXvQLA+qTAhEItukDh0rX4xhJqBWcNODvFOzmvGI1jVFy62zvgEk
n0FXHNfGffBcuFrsP5qZGawdRTQ40aO/+oo/yH80/nhEcH2jVi1iMdmF7JjxmVLU
uD4xt8aZosQxUHPSoM0CRqv5S4aeDjNNihrpuGsK5PBhDOvp083gqmw1/RSn8Ffr
iy8U4PaxOHEaiBoGwRYOf6XEAxGe9YH9jnuJhR1McoYBYXdSTwww7TpcWWJxa6V3
aPgYoYNhcON07jcx0jWsvsB8/SdFRywy/hBrmVd1CesEaCGlmSooF+gRuhvTG0L/
dXDy6/gaXROfNf2u1DVOse4W1sxHcSyksbp4jViqPUZsAJ/jXgxlzd5PhrJ20c/p
57TSkUv4Jgm75TqWrg7aCyFI1scvEUTHHOeSZ1yL4j61NsX9M6Ymu0cZnpc+tZQT
F6wDKMQ9XIcW934vbOlkdoHhhIpxHMPn42YV7GX6RhmBIQypFUveWGAGoYGtbjVv
aZjqZm+cpKto8bhLiaJx+uZK
=lVoV
-----END PGP PUBLIC KEY BLOCK-----

Safe Harbor

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

• Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
• Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Legal

Kistler reserves the right to modify the terms and conditions of this policy and your participation constitutes acceptance of all terms. Please check this site regularly as we routinely update our policy terms and eligibility, which are effective upon posting. We reserve the right to cancel this policy at any time.

Version 03/24/2021