SICK Product Security Incident Response Team
SICK AG products and services are subject to the highest quality requirements. That is why cyber security is taken into account and tested in the development phase. To ensure that products and services are secure throughout their entire service life, reports on possible vulnerabilities are taken very seriously and handled with the greatest sense of responsibility. Uncovering vulnerabilities is understood as a common goal of different parties with the aim of offering our customers a consistently high level of security.
The SICK Product Security Incident Response Team (SICK PSIRT)
The SICK PSIRT is the central team of SICK AG which is authorized to answer reports regarding the cyber security of products, solutions and services as well as provide information. All reports concerning potential vulnerabilities or other security incidents connected to SICK AG products can be passed on to the SICK PSIRT.
The SICK PSIRT manages the inspection, internal coordination and disclosure of security vulnerabilities. A security advisory is issued for confirmed vulnerabilities as soon as a solution is available. If the situation requires, a security advisory with the measures to be taken is sent out before an update is available.
Reports on potential vulnerabilities or other incidents are more than welcome from anyone, regardless of their customer status. SICK AG respects and takes into account the different interests of reporters and encourages the reporting of information to the SICK PSIRT. The aim is to follow a process of coordinated disclosure of vulnerabilities (coordinated vulnerability disclosure).
Handling vulnerabilities is described in document “Vulnerability Handling Guideline”.
Reporting a vulnerability
The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.
Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.
Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.
SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:
- Contact information and availability
- Affected product including model and version number
- Classification of the vulnerability (buffer overflow, XSS, …)
- Detailed description of the vulnerability (with verification if possible)
- Effect of the vulnerability (if know)
- Current level of awareness of the vulnerability (are there plans to disclose it?)
- (Company) affiliation of the reporter (if reporter is prepared to provide such information)
- CVSS score (if known)
If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.
If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.
Reports for the SICK PSIRT are to be sent to this address:
- firstname.lastname@example.org (PGP Public Key with fingerprint: E473 D535 A7F5 7460 7923 FBC3 7EE5 723D C8D3 3A14)
- Accepted languages: German and English
- Transmission: Encryption preferred
Encrypted reports are preferred to protect sensitive information and data. German and English are accepted.
The SICK PSIRT is happy to provide additional information about its operating principle or answer general questions about reports of vulnerabilities. If you have any other questions or concerns not related to security, we ask that you contact SICK AG customer service. The SICK PSIRT cannot provide information about these issues.
ID Title CVSS Score Products Date Download (PDF) Signature SCA-2019-0001 Use of hard-coded credentials in MSC800 9.8 MSC800 all versions 24.06.2019 Download Download SCA-2019-0002 Vulnerability in FX0-GENT00000 and FX0-GPNT00000 7.5 FX0-GPNT00000 (1044074) FX0-GENT00000 (1044072) 20.09.2019 Download Download