To encourage responsible disclosure, we ask all researchers to comply with the following general guidelines:
- Bühler has enough time (min. 60 days) to verify a report and to implement a fix. Do not disclose any information during this time to thirds or the public without our approval.
- Any testing activity must not impair Bühler services and products. Do not run “denial of service” attacks/tests.
- Do not obtain, modify, or destroy any potential sensitive information when an identified vulnerability allows you to do so.
- Do not provide reports from automated scanners without manual verification of the vulnerability.
If you follow these guidelines we commit to:
- Not pursue or support any legal action related to your research.
- Work together with you to understand and remediate the issue quickly including an initial confirmation of your report within 5 days of submission.
- Consider bounty depending on the criticality of the finding and the affected information/system/service but in any case, if the finding is in-scope of this policy and if you wish so, we will add you to our hall of fame below. This applies if you were the first one reporting the issue and the issue is not already known to us. Please note that if the identified issue affects a third party product, software or service we may not provide a bounty but we are happy to ask the third party to consider to offer you a bounty or reward.