Cyber Security Notification

Dipl.-Ing. H. Horstmann GmbH, as a manufacturer of high-quality and durable products, also places the highest demands on the cyber security of its networked devices and applications.

Vulnerability Disclosure

At Horstmann, we attach great importance to the security of our products. Therefore, we encourage experts to disclose vulnerabilities in a responsible manner. If you have any information about a possible security vulnerability in our products, please report it according to the reporting process described.

Guidelines for tests

• Do not test any hardware that is in productive operation or in field use, but only your own hardware or with the express permission of the owner or operator
• Avoid social engineering (phishing, vishing, dumpster diving,…)
• Only use non-destructive test methods and do not use, for example
  • DoS or DDoS attacks
  • Use of viruses, malware, worms
  • Deleting or manipulating data
  • Automated tests

Scope

All hardware products and their software, as well as the corresponding configuration programs, which belong to the Dipl.-Ing. H. Horstmann GmbH brand.

Out of Scope

Results that were mainly achieved by means of social engineering (e.g. phishing, vishing, …). All servers, web applications and other online services/presences.

Vulnerability Reporting

Please send your information to vulnerability@horstmanngmbh.com. To ensure the confidentiality of the information, please encrypt your e-mail and the data sent using the public PGP key provided.

SHA-1 key fingerprint: ACA7 6381 96CF BC24 E22D C83A E08D 9ED1 6C1B 1CD6

After receipt of the report, an automatic confirmation of receipt is sent and within 7 days an initial assessment of the reported vulnerability is sent to the reporting person.

Content of the message

• Please make sure that your report does not contain any confidential or personal information and that you only refer to the vulnerability found.
• Describe the gap you have found as precisely as possible so that we can reproduce it as quickly as possible. Please also include pictures or videos that illustrate the error and your approach.
• Corresponding detailed information such as:
  • Affected product/application
  • Serial number
  • Software version
  • Hardware revision
  • URL
  • Test scenario
• Please write the message in German or English.
• Even if you are not quite sure: We will follow up your tip and contact you if we have any further questions.

Responsible Disclosure

Please give us the opportunity to work on the vulnerability and refrain from publishing it until then. The provision of a possible patch may take some time. After our written release, the vulnerability may be discussed and until then we are all committed to secrecy.

We will confirm receipt of the report with an automatic e-mail and get back to you within 7 days with an initial assessment.

It takes up to 90 days to rectify the gap in the event of a software change and up to 6 months in the event of a hardware change. In the case of third-party hardware/software, the information is passed on and a solution is worked on as quickly as possible.