Why report vulnerabilities?
Even secure development in all conscience and rigid testing cannot guarantee products free of cybersecurity weaknesses. Responsible disclosure of vulnerabilities allows us to fix them, update and inform customers regarding the fixes, and continuously improve security in our products, before the vulnerabilities cause any harm. If you believe you have identified a potential vulnerability or security issue in a e:fs product or service, please contact us using the e-mail address given below. If you wish to provide large or highly sensitive files, please let us know. We will then contact you and let you know how you can provide this data securely.
What information should be submitted?
For product vulnerabilities, please report the following information:
- Affected product, including model and firmware version (if available), or other information, supporting the identification of the affected product(s).
- Description of the vulnerability, including proof-of-concept, exploit code or network traces (if available). If a large amount of data needs to be submitted, we offer an easy-to-use service for data transfer.
- Public references, if there are any. Please indicate if the vulnerability has already been publicly disclosed and by whom.
- Information about you (the reporter). This is optional, but supports further communication and, if desired, honorable mentions.
Please also state, if there are any restrictions or wishes regarding the provided information, especially with respect to publication and dissemination.
Please, take into account the following considerations before submitting a report:
1. Only e-mails in English or German language will be considered.
2. Considerations regarding acknowledgements:
- We invite you to report all vulnerabilities. However, previously published vulnerabilities will not qualify for acknowledgement.
- Acknowledgements for product vulnerabilities may be subject to disclosure policies of e:fs TechHub customers like OEMs.
3. We kindly ask the reporting party to not share or publicize an unresolved vulnerability with/to third parties without prior consultation.