Report a security vulnerability
Bosch PSIRT encourages users and researchers to report security issues. Please note that quality and warranty issues should be reported to:
https://www.bosch.com/contact/ (in English)
https://www.bosch.de/kontakt/ (in German)
How to report a security vulnerability?
If you believe that you have identified a potential security vulnerability or incident related to a Bosch website, Bosch product, or a data protection issue, please proceed as follows and choose the appropriate way to contact us. The Bosch PSIRT encourages responsible disclosure of vulnerabilities with a view to the longer-term benefits they bring in terms of fixed vulnerabilities, better-informed customers, and continuous improvement of our security.
Website security vulnerabilities
In case of vulnerabilities or incidents in Bosch websites:
Via BugCrowd*: preferred for reporting website vulnerabilities
*BugCrowd and its services are located in the United States
Product security vulnerabilities
In case of a vulnerability or an incident in Bosch products:
Data protection issues
In case of data protection issues:
Notification of data protection incidents
Submission of data subject requests
Please use the following link.
What information should be submitted?
For website or product vulnerabilities, please report the following information:
-
Affected product, including model and firmware version (if available), or URL address for website vulnerabilities.
-
Description of the vulnerability, including proof-of-concept, exploit code or network traces (if available). If a large amount of data needs to be submitted, we are able to offer an easy-to-use service for data transfer.
- Public references, if there is any. Please indicate if the vulnerability has already been publicly disclosed and by whom.
Important Information
Please, take into account the following considerations before submitting a report:
1. Only emails in English or German languages can be considered.
2. Considerations regarding acknowledgements:
-
We invite you to report all website vulnerabilities. However previously published vulnerabilities will not qualify for acknowledgement.
- From August 2017, acknowledgements for website vulnerabilities will contain the type of vulnerability found, no exceptions.
-
Acknowledgements for product vulnerabilities will only contain the researcher's name.
- From December 2018, vulnerabilities categorized as “informational” will not be entitled to an entry on our acknowledgment page.
3. We ask you to read our responsible disclosure policy and get familiar with our process.
4. We strongly encourage you to encrypt all e-mail communications with Bosch PSIRT. Our S/MIME and PGP public keys and fingerprints are available at the bottom of each page.
Bosch PSIRT
Search our S/MIME key here
Fingerprint: 87:F1:6F:70:60:D2:94:83:82:AC:69:F5:46:86:7C:80:7F:86:1D:F0
Find our PGP Key here
Fingerprint: F40C 0FE3 E919 B082 B2DD 75E5 929D 3AFD 217E 21D7