AUMA PSIRT (Product Security Incident Response Team)

The AUMA PSIRT (Product Security Incident Response Team) is the central Product Security Team of AUMA Riester GmbH & Co. KG. which receives, processes and answers any issues on potential security vulnerabilities of AUMA products and services. Any issues on potential security vulnerabilities related to AUMA products and services can be transmitted to the AUMA PSIRT.

 

The AUMA PSIRT manages internal investigations, coordinates the resulting activities and publishes notes on confirmed security vulnerabilities with available measures for mitigation or elimination.

 

AUMA PSIRT

Report security vulnerabilities

Everybody is invited to report on potential security vulnerabilities – apart from our direct customers, this also includes experts, scientists, CERTs (Computer Emergency Response Teams), authorities, industrial associations, suppliers, consultants or plant operators.

 

Reporting to the AUMA PSIRT is made via the e-mail address created for this purpose PSIRT@auma.com.

 

Since some of our products are deployed in critical infrastructures, we would like to ask you to consult us prior to disclosing security vulnerabilities. This shall avoid any hazards related to the security situation in installations until our R&D teams have defined and provided appropriate counter measures for elimination or mitigation.

 

To collaborate with us for disclosing security vulnerabilities, neither a non-disclosure agreement nor any other contract is required. We aim to cooperate on a confidential and professional basis with the respective reporters when dealing with potential security vulnerabilities related with AUMA products and services.

 

When sending your e-mail, please provide the following details to ensure speedy processing:

 

  • Name of reporter: If you wish to remain undisclosed, we shall respect your interests
  • Contact details: E-mail and phone number to contact you for any questions or feedback
  • Assignment: Name of your organisation (e.g. company name)
  • Type of security vulnerability: Description of the type of security vulnerability (e.g. XSS, buffer overflow, hard coded access data ...)
  • Trigger for the security vulnerability: Description how the security vulnerability can be triggered (tools, processes, procedures, proofs, ...)
  • Affected product: In which AUMA products or services was the security vulnerability detected? Please fill in any available information like product designation with order or serial number, firmware or software version, if applicable the operating system of affected components and indicate the location for services (e.g. URL)
  • Impact of security vulnerability: Please describe how  an attacker could take advantage of a security vulnerability and which impacts would be entailed.
  • CVSS evaluation: Evaluation of the security vulnerability in compliance with Common Vulnerability Scoring System (CVSS) – if known.
  • Confidentiality on security vulnerabilities: Was the security vulnerability already disclosed or are there any plans for disclosure?

 

Please send us your report either in German or English.

Information on security vulnerabilities is critical. For this reason, we would like you to send encrypted messages. Please use the following PGP key to encrypt your information when transmitting to PSIRT@auma.com.

AUMA PSIRT Public Keys

Link to download our PGP key [LW1] [LW2] 

Fingerprint: 64F97ED5674E7BF923018ED87788765AF3FF7089

Analysis and solution

A standardised processing process is introduced upon receipt of your notification. AUMA PSIRT shall acknowledge receipt of the reported security vulnerability, evaluate and analyse the transmitted references and coordinate the required investigations and activities for identifying a solution – this is made in close cooperation with the reporter of the security vulnerability.

Disclosure

Advisories for AUMA products and services will be published on the publicly accessible IT security platform CERT@VDE, which has been created for coordinating security vulnerabilities specifically for companies in industrial automation.

 

AUMA PSIRT will gladly give you any further details on general questions related to the security of AUMA products and services (please address your e-mail to PSIRT@auma.com).