Vulnerability and Incident Management Processes
Overview of the Bosch PSIRT processes
Bosch delivers products that offer the best quality and reliability. The Bosch Product Security Incident Response Team (PSIRT) supports this by helping to resolve security issues identified in Bosch products by security researchers, partners, or customers.
The Bosch PSIRT process consists of four stages, which are based on the FIRST framework:
A potential vulnerability is reported to the Bosch PSIRT.
Bosch PSIRT cooperates with the relevant Bosch development team to investigate and reproduce the vulnerability. Bosch PSIRT performs internal vulnerability handling in collaboration with the responsible development groups. CERT teams of our customers may be notified about the problem upfront. During this time, regular communication is maintained between Bosch PSIRT and the reporting party.
After the issue is analyzed, it is defined if a fix or mitigation is necessary to address the vulnerability. To the extent possible, the Bosch PSIRT will work with the reporting party to verify and review fixes.
Corresponding fixes will be developed and prepared for distribution.
The Bosch PSIRT in conjunction with the reporting party will create a disclosure schedule. If public disclosure of the vulnerability is agreed upon, the Bosch PSIRT will release a Bosch Security Advisory at psirt.bosch.com in coordination with the reporting party's potential publication plans.
A security advisory usually contains the following information:
- Description of the vulnerability with CVE reference and CVSS score
- Identity of known affected products and software/hardware versions
- Information on mitigating factors and workarounds
- Timeline and the location of available fixes or other remedial measures
- With the reporting party's consent, recognition will be provided for reporting and collaboration.