Jointly uncover vulnerabilities to improve Bosch Product Security beyond established ways

Bosch delivers products that offer the best quality and reliability. Bosch Product Security Incident Response Team (PSIRT) supports this by helping to resolve security issues identified in Bosch products by external security researchers, partners, or customers.

Bosch PSIRT coordinates measures in case of (potential) security incidents with Bosch engineers and development teams, including establishing an appropriate response plan, and maintaining regular communication with the reporting party. Bosch encourages coordinated disclosure of vulnerabilities and we kindly ask the reporting party to keep the vulnerability confidential until Bosch makes a fix available.

Everyone is encouraged to report identified vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports directly from researchers, industry groups, CERTs(Computer Emergency Response Team), partners and any other source. We respect the interests of the reporting party (anonymous reports are also welcome) and agree to address any vulnerability that is reasonably believed to be related to our products or services. We strongly urge reporting parties to perform a coordinated disclosure, as immediate public disclosure puts our customers’ systems at unnecessary risk.

How to Report a vulnerability:

The preferred method of contacting the Bosch PSIRT is by sending an email to psirt@bosch.com. We encourage all vulnerability information to be encrypted. Additional information is available in the contact section.

Please report the following information:

  • Affected product, including model and firmware version (if available), or Web-based vulnerabilities*
  • Description of vulnerability, including proof-of-concept, exploit code or network traces (if available). If a large amount of data needs to be submitted, we are able to offer an easy-to-use service for data transfer.
  • Publicity of vulnerability (Was it already publicly disclosed and if yes by whom?)

*We invite you to report all web-based vulnerabilities. However previously published vulnerabilities will not qualify for acknowledgement! From August 2017 all acknowledgements will contain the type of vulnerability found, no exceptions.

What Happens Next?

  1. Verification & Triage
    Bosch PSIRT cooperates with the relevant Bosch development team to investigate and reproduce the vulnerability. Bosch PSIRT performs internal vulnerability handling in collaboration with the responsible development groups. CERT teams having a partnership with us may be notified about the problem upfront. During this time, regular communication is maintained between Bosch PSIRT and the reporting party.

  2. Disclosure
    After the issue is successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be implemented and prepared for distribution. To the extent possible PSIRT will work with the reporting party to verify and review fixes.
    The Bosch PSIRT in conjunction with the reporting party will create a disclosure schedule. If public disclosure of the vulnerability is agreed upon, the Bosch PSIRT will then release a security advisory at psirt.bosch.com that contains all necessary information about the vulnerability and ask that the reporting party keeps Bosch PSIRT informed of their release plans.

    A security advisory usually contains the following information:

    • Description of the vulnerability with CVE reference and CVSS score
    • Identity of known affected products and software/hardware versions
    • Information on mitigating factors and workarounds
    • Timeline and the location of available fixes or other remedial measures
    • With the reporting parties consent, recognition will be provided for reporting and collaboration.

Bosch Commitment

We kindly ask the reporting party to not share or publicize an unresolved vulnerability with/to third parties. By following the Bosch Responsible Security Disclosure Policy, the Bosch PSIRT and associated development organizations will use reasonable efforts to:

  • Respond quickly and acknowledge receipt of the vulnerability report
  • Provide an estimated time frame for addressing the vulnerability report
  • Notify the reporting party when the vulnerability has been fixed

Bosch agrees not to pursue claims against reporting parties related to disclosures submitted to us providing the following:

  • The reporting party does not cause harm to Bosch, our customers, or others.
  • The reporting party does not compromise the privacy or safety of our customers or the operation of our services.
  • The reporting party does not violate any criminal law.
  • The reporting party publicly discloses vulnerability details only after Bosch confirms completed remediation of the vulnerability

Bosch appreciates the efforts made by the reporting party in identifying the vulnerability and working with us to ensure the safety of Bosch customers. We thank you for going out of your way to improve the security and safety of our customers and the Internet community as a whole.

CONTACT INFORMATION

  • Website: psirt.bosch.com
  • Email: psirt@bosch.com
    • Only emails composed in English or German can be considered
    • Checked 7 days a week, response within one business day
    • S/MIME
      • Public key: bosch-psirt.der.
      • Fingerprint: 1A:B0:CB:34:A9:EB:06:26:C2:16:07:B1:F9:03:36:2C:0A:06:A9:60
    • PGP