SICK Product Security Incident Response Team
SICK AG products and services are subject to the highest quality requirements. That is why cyber security is taken into account and tested in the development phase. To ensure that products and services are secure throughout their entire service life, reports on possible vulnerability are taken very seriously and handled with the greatest sense of responsibility. Uncovering vulnerabilities is understood as a common goal of different parties with the aim of offering our customers a consistently high level of security.
The SICK Product Security Incident Response Team (SICK PSIRT)
The SICK PSIRT is the central team of SICK AG which is authorized to answer reports regarding the cyber security of products, solutions and services as well as provide information. All reports concerning potential vulnerabilities or other security incidents connected to SICK AG products can be passed on to the SICK PSIRT.
The SICK PSIRT manages the inspection, internal coordination and disclosure of security vulnerabilities. A safety note is issued for confirmed vulnerabilities as soon as a solution is available. If the situation requires, a safety notes with the measures to be taken is sent out before an update is available.
Reports on potential vulnerabilities or other incidents are more than welcome from anyone, regardless of their customer status. SICK AG respects and takes into account the different interests of reporters and encourages the reporting of information to the SICK PSIRT. The aim is to create a process of coordinated disclosure of vulnerabilities (coordinated vulnerability disclosure).
Handling vulnerabilities is described in document “Vulnerability Handling Guideline”.
Reporting a vulnerability
The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.
Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include safety researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.
Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.
SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:
- Contact information and availability
- Affected product including model and version number
- Classification of the vulnerability (buffer overflow, XSS, …)
- Detailed description of the vulnerability (with verification if possible)
- Effect of the vulnerability (if know)
- Current level of awareness of the vulnerability (are there plans to disclose it?)
- (Company) affiliation of the reporter (if reporter is prepared to provide such information)
- CVSS score (if known)
If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.
If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.
Reports for the SICK PSIRT are to be sent to this address:
- firstname.lastname@example.org (PGP Public Key with fingerprint: D441 9CE6 6F46 4D8C C017 520D 70D6 2CF8 AA9D 9E95)
- Available languages: German and English
- Transmission: Encryption preferred
Encrypted reports are preferred to protect sensitive information and data. German and English are accepted.
The SICK PSIRT is happy to provide additional information about its operating principle or answer general questions about reports of vulnerabilities. If you have any other questions or concerns not related to security, we ask that you contact SICK AG customer service. The SICK PSIRT cannot provide information about these issues.
Security advisories are not visible until you log in.
12/10/2018 - Introduction of the SICK PSIRT