VULNERABILITY DISCLOSURE AND MANAGEMENT POLICY

Introduction

The purpose of this BUBENDORFF Vulnerability Disclosure and Management Policy is to enable any person or stakeholder using a BUBENDORFF digital asset product or BUBENDORFF digital service to easily report a security vulnerability (cyber threat).
The aim is to enable Bubendorff to do everything in its power to resolve this vulnerability and improve the security of its products and services.

Object :

This Vulnerability Disclosure and Management Policy (‘Policy’) applies to all Vulnerabilities that a User intends to report to Bubendorff.

Bubendorff recommends that you read this Policy carefully before reporting a Vulnerability. All actions taken by the User must comply with this Policy.

Bubendorff thanks in advance each User who reports a Vulnerability in accordance with this Policy. However, Bubendorff reiterates that it does not provide rewards of any kind for reporting Vulnerabilities.

 

 

Definitions :

  • Correction of vulnerability: refers to the steps involved in resolving and implementing solutions to correct/mitigate the reported vulnerability.
  • Report: medium through which a user transmits a potential vulnerability to BUBENDORFF.
  • Vulnerability disclosure and management policy: action plan by which BUBENDORFF addresses and corrects a vulnerability reported by a user of BUBENDORFF products.
  • Bubendorff product: any product, system or service marketed or made available under the BUBENDORFF trademark.
  • Treatment of vulnerability: refers to the stages of understanding and assessment of the seriousness (CVSS 3.0) by the BUBENDORFF teams, up to the qualification of the report transmitted as a valid or invalid vulnerability. Vulnerability Processing does not include vulnerability correction.
  • User: any person or stakeholder using a product containing BUBENDORFF digital elements or a BUBENDORFF digital service (e.g. website, servers, etc.).
  • Vulnerability: security flaw (cyber threat) in a system, product or service.

Vulnerability report :

Any potential vulnerability that may be identified must be communicated to BUBENDORFF by means of a Report sent to via the form at the bottom of the page.

The User is asked to indicate in his Report:

Details of vulnerability (mandatory)
. Title of vulnerability ;
. Medium (internet address, IP address, product or service name, S/N number – mandatory if the medium is a product) where the vulnerability has been/can be observed ;
. Estimated severity, assessed according to the Common Vulnerability Scoring System (CVSS 3.0) :
. Description of vulnerability (including summary, justification and any proposed mitigation measures or recommendations) ;
. Impact (what an attacker could do with this vulnerability) ;
. Steps to be taken to reproduce the vulnerability. This must be a benign and non-destructive proof of concept. This ensures that the report can be processed quickly and accurately. It also reduces the likelihood of duplicate reports or malicious exploitation of certain vulnerabilities, such as subdomain takeovers.

User contact information (mandatory)
. User name
. User’s e-mail address

Report processing :

BUBENDORFF acknowledges receipt of the report within a maximum of 4 weeks (usually within 5 working days) of its receipt. The report is handled by the BUBENDORFF teams who will make their best efforts to carry out the Vulnerability Treatment within a maximum of 60 working days following the acknowledgement of receipt. BUBENDORFF will endeavour to keep the User informed of its progress.

The priority of corrective actions is assessed according to the impact, seriousness and complexity of the vulnerability. The vulnerability may take some time to be corrected. BUBENDORFF may also contact the User by e-mail in order to obtain further information on the reported vulnerability.

The User may contact Bubendorff to be informed of the progress made in resolving the vulnerability. In this respect, the User undertakes not to contact BUBENDORFF more than once every 30 calendar days, in order to allow the BUBENDORFF teams to make serene progress on the corrections to be deployed.

BUBENDORFF informs the User that the vulnerability has been fixed. The User is invited to confirm the resolution of the report sent.

Once the correction has been published, the User may request that their vulnerability report be published. BUBENDORFF wishes to provide uniform advice to the Users concerned and requests the User at the origin of the disclosure to coordinate the public release with BUBENDORFF.

If a functional e-mail address is not provided, BUBENDORFF may not be able to process the report sent if it is incomplete or insufficiently informed, or to keep the User informed of the progress of the actions taken.

 

Report a vulnerability :

Any request that does not correspond to a vulnerability report will not be processed or transmitted.

For security reasons, we do not allow attachments to be sent at this stage. These can be sent to us when the vulnerability is processed.

 

EN - Psirt

* Required fields

If a functional e-mail address is not provided, BUBENDORFF may not be able to process the report if incomplete or insufficiently filled in, or to keep you informed of the progress of the actions undertaken.
The information collected by BUBENDORFF SAS directly from you, with your consent, is subject to automated processing for the purpose of managing Pack SAV Extension orders. Information marked with an asterisk is mandatory and necessary. Otherwise, BUBENDORFF SAS will not be able to respond to your request. This information is intended for BUBENDORFF SAS and may be passed on to our Bubendorff Advice Points or our network of approved repairers depending on your request. The data is kept for the time required to process your request. Data processed as part of canvassing operations with your consent may not be kept for more than 3 years after the last contact from you or in the event of your objection. In the case of a request for a service, the data is archived for 5 years after the end of the service. In accordance with Regulation (EU) 2016/679 on the protection of personal data you have the following rights on your data sur : right of access, right of rectification, right to erasure (right to be forgotten), right of opposition, right to limit processing, right to portability. You may also define directives relating to the conservation, deletion and communication of your personal data after your death. You may, for reasons relating to your particular situation, object to the processing of data concerning you. To exercise your rights, please write to Service DCI - Bubendorff - 9 Allée de la Gare - 68100 Mulhouse - France or send an e-mail to the following address: actecil@bubendorff.com . Please specify the purpose of your request and the right(s) you wish to exercise. If there is reasonable doubt about your identity, you may be asked to provide proof of identity. Subject to a breach of the above provisions, you have the right to lodge a complaint with the EDPS.