Jointly uncover vulnerabilities to improve Bosch product security

Bosch PSIRT coordinates measures in case of (potential) security incidents with Bosch engineers and development teams, including establishing an appropriate response plan, and maintaining regular communication with the reporting party. Bosch encourages coordinated disclosure of vulnerabilities and we kindly ask the reporting party to keep the vulnerability confidential until Bosch makes a fix available.

Everyone is encouraged to report identified vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports directly from researchers, industry groups, CERTs (Computer Emergency Response Teams), partners and any other source. We respect the interests of the reporting party (anonymous reports are also welcome) and agree to address any vulnerability that is reasonably believed to be related to our products or services. We strongly urge reporting parties to perform a coordinated disclosure, as immediate public disclosure puts our customers’ systems at unnecessary risk.

By following the Bosch Responsible Security Disclosure Policy, the Bosch PSIRT and associated development organizations will use reasonable efforts to:

• Respond quickly and acknowledge receipt of the vulnerability report
• Provide an estimated time frame for addressing the vulnerability report
• Notify the reporting party when the vulnerability has been fixed

Our standard response time to acknowledge receipt of vulnerability reports is 2 working days (this means that it excludes weekends and public holidays from the state of Baden-Württemberg in Germany). Status updates of reported vulnerabilities are given when relevant information becomes available.

Bosch agrees not to pursue claims against reporting parties related to disclosures submitted to us providing the following:

• The reporting party does not cause harm to Bosch, our customers, or others.
• The reporting party does not compromise the privacy or safety of our customers or the operation of our services.
• The reporting party does not violate any criminal law.
• The reporting party publicly discloses vulnerability details only after Bosch confirms completed remediation of the vulnerability

Bosch appreciates the efforts made by the reporting party in identifying the vulnerability and working with us to ensure the safety of Bosch customers. We thank you for going out of your way to improve the security and safety of our customers and the Internet community as a whole.