Jointly uncover vulnerabilities to improve Bosch Product Security beyond established ways
Bosch delivers products that offer the best quality and reliability. Bosch Product Security Incident Response Team (PSIRT) supports this by helping to resolve security issues identified in Bosch products by external security researchers, partners, or customers.
Bosch PSIRT coordinates measures in case of (potential) security incidents with Bosch engineers and development teams, including establishing an appropriate response plan, and maintaining regular communication with the reporting party. Bosch encourages coordinated disclosure of vulnerabilities and we kindly ask the reporting party to keep the vulnerability confidential until Bosch makes a fix available.
Everyone is encouraged to report identified vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports directly from researchers, industry groups, CERTs(Computer Emergency Response Team), partners and any other source. We respect the interests of the reporting party (anonymous reports are also welcome) and agree to address any vulnerability that is reasonably believed to be related to our products or services. We strongly urge reporting parties to perform a coordinated disclosure, as immediate public disclosure puts our customers’ systems at unnecessary risk.
How to Report a vulnerability:
The preferred method of contacting the Bosch PSIRT is by sending an email to firstname.lastname@example.org. We encourage all vulnerability information to be encrypted. Additional information is available in the contact section.
Please report the following information:
- Affected product, including model and firmware version (if available), or Web-based vulnerabilities*
- Description of vulnerability, including proof-of-concept, exploit code or network traces (if available). If a large amount of data needs to be submitted, we are able to offer an easy-to-use service for data transfer.
- Publicity of vulnerability (Was it already publicly disclosed and if yes by whom?)
*We invite you to report all web-based vulnerabilities. However previously published vulnerabilities will not qualify for acknowledgement! From August 2017 all acknowledgements will contain the type of vulnerability found, no exceptions. From December 2018, Vulnerabilities categorized as “informational” will not be entitled to an entry on our acknowledgment page.
What Happens Next?
Verification & Triage
Bosch PSIRT cooperates with the relevant Bosch development team to investigate and reproduce the vulnerability. Bosch PSIRT performs internal vulnerability handling in collaboration with the responsible development groups. CERT teams having a partnership with us may be notified about the problem upfront. During this time, regular communication is maintained between Bosch PSIRT and the reporting party.
After the issue is successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be implemented and prepared for distribution. To the extent possible PSIRT will work with the reporting party to verify and review fixes.
The Bosch PSIRT in conjunction with the reporting party will create a disclosure schedule. If public disclosure of the vulnerability is agreed upon, the Bosch PSIRT will then release a security advisory at psirt.bosch.com that contains all necessary information about the vulnerability and ask that the reporting party keeps Bosch PSIRT informed of their release plans.
A security advisory usually contains the following information:
- Description of the vulnerability with CVE reference and CVSS score
- Identity of known affected products and software/hardware versions
- Information on mitigating factors and workarounds
- Timeline and the location of available fixes or other remedial measures
- With the reporting parties consent, recognition will be provided for reporting and collaboration.
We kindly ask the reporting party to not share or publicize an unresolved vulnerability with/to third parties. By following the Bosch Responsible Security Disclosure Policy, the Bosch PSIRT and associated development organizations will use reasonable efforts to:
- Respond quickly and acknowledge receipt of the vulnerability report
- Provide an estimated time frame for addressing the vulnerability report
- Notify the reporting party when the vulnerability has been fixed
Bosch agrees not to pursue claims against reporting parties related to disclosures submitted to us providing the following:
- The reporting party does not cause harm to Bosch, our customers, or others.
- The reporting party does not compromise the privacy or safety of our customers or the operation of our services.
- The reporting party does not violate any criminal law.
- The reporting party publicly discloses vulnerability details only after Bosch confirms completed remediation of the vulnerability
Bosch appreciates the efforts made by the reporting party in identifying the vulnerability and working with us to ensure the safety of Bosch customers. We thank you for going out of your way to improve the security and safety of our customers and the Internet community as a whole.