SICK Product Security Incident Response Team (SICK PSIRT)

SICK Security Advisories

SICK AG products and services are subject to the highest quality requirements. That is why cyber security is taken into account and tested in the development phase. To ensure that products and services are secure throughout their entire service life, reports on possible vulnerabilities are taken very seriously and handled with the greatest sense of responsibility. Uncovering vulnerabilities is understood as a common goal of different parties with the aim of offering our customers a consistently high level of security.

The SICK PSIRT is the central team of SICK AG which is authorized to answer reports regarding the cyber security of products, solutions and services as well as provide information. All reports concerning potential vulnerabilities or other security incidents connected to SICK AG products can be passed on to the SICK PSIRT.

The SICK PSIRT manages the inspection, internal coordination and disclosure of security vulnerabilities. A security advisory is issued for confirmed vulnerabilities as soon as a solution is available. If the situation requires, a security advisory with the measures to be taken is sent out before an update is available.

Reports on potential vulnerabilities or other incidents are more than welcome from anyone, regardless of their customer status. SICK AG respects and takes into account the different interests of reporters and encourages the reporting of information to the SICK PSIRT. The aim is to follow a process of coordinated disclosure of vulnerabilities (coordinated vulnerability disclosure).

Handling vulnerabilities is described in document “Vulnerability Handling Guideline”.

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

• Contact information and availability
• Affected product including model and version number
• Classification of the vulnerability (buffer overflow, XSS, …)
• Detailed description of the vulnerability (with verification if possible)
• Effect of the vulnerability (if know)
• Current level of awareness of the vulnerability (are there plans to disclose it?)
• (Company) affiliation of the reporter (if reporter is prepared to provide such information)
• CVSS score (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.

Reports for the SICK PSIRT are to be sent to this address:

• psirt@sick.de 
  (PGP Public Key with fingerprint: 7F26 510F D9D7 3F4E 17DE A093 7F83 3F8E)
• Accepted languages: German and English
• Transmission: Encryption preferred

Encrypted reports are preferred to protect sensitive information and data. German and English are accepted. 

The SICK PSIRT is happy to provide additional information about its operating principle or answer general questions about reports of vulnerabilities. If you have any other questions or concerns not related to security, we ask that you contact SICK AG customer service. The SICK PSIRT cannot provide in

09/18/2024 - Update of the PGP Public Key. The previous key can be downloaded here.

09/22/2023 - Update of the PGP Public Key. The previous key can be downloaded here.

08/09/2022 - Update of the PGP Public Key. The previous key can be downloaded here.

09/21/2021 - Update of the PGP Public Key. The previous key can be downloaded here.

09/24/2020 - Update of the PGP Public Key. The previous key can be downloaded here.

18/10/2019 - Update of the PGP Public Key. The previous key can be downloaded here.

12/10/2018 - Introduction of the SICK PSIRT