Responsible Disclosure Policy


Responsible Disclosure Policy

Information, data and its supporting processes, information systems and networks are vital to the business of Bühler and our customers and other business partners. The preservation of confidentiality, integrity and availability of valuable information is a major aspect to value the trust our customers and business partners place in us. If you found security issues or vulnerabilities, we would be very happy if you report them to us. The following document describes the framework on how such reporting and responsible disclosure is defined for Bühler.



The Bühler Information Security team is the point of contact for such reports and can be reached at security[at]

When reporting security weaknesses please include the following elements:

  • Type of vulnerability.
  • Exact description of the vulnerability and the affected elements/assets.
  • A clear description of why you think it is a security issue or vulnerability.
  • Additional helpful information such as steps to reproduce the issue, screenshots, proof of concept scripts and similar.


To encourage responsible disclosure, we ask all researchers to comply with the following general guidelines:

  • Bühler has enough time (min. 60 days) to verify a report and to implement a fix. Do not disclose any information during this time to thirds or the public without our approval.
  • Any testing activity must not impair Bühler services and products. Do not run “denial of service” attacks/tests.
  • Do not obtain, modify, or destroy any potential sensitive information when an identified vulnerability allows you to do so.
  • Do not provide reports from automated scanners without manual verification of the vulnerability.

If you follow these guidelines we commit to:

  • Not pursue or support any legal action related to your research.
  • Work together with you to understand and remediate the issue quickly including an initial confirmation of your report within 5 days of submission.
  • Consider bounty depending on the criticality of the finding and the affected information/system/service but in any case, if the finding is in-scope of this policy and if you wish so, we will add you to our hall of fame below. This applies if you were the first one reporting the issue and the issue is not already known to us. Please note that if the identified issue affects a third party product, software or service we may not provide a bounty but we are happy to ask the third party to consider to offer you a bounty or reward.



In-Scope Vulnerabilities

Any issue that affects the confidentiality or integrity of information in a comprehensible way (end to end) is likely to be in-scope. Examples are:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Authentication or Authorization Flaws
  • SQL injection (SQLI)
  • Remote Code Execution (RCE)
  • Local or Remote File Inclusions


Out-of-Scope Vulnerabilities

The following are considered out of scope and will not be rewarded:

  • Outages due to “denial of service” attacks.
  • Errors which do not affect the confidentiality, integrity or availability of information or the related service/asset or do not pose a direct security risk.
  • Leak of non-critical information.
  • DNS records such as SPF, MARC, DKIM.
  • Logout Cross-Site Request Forgery.
  • TLS/SSL certificate related issue such as weak ciphers or outdated protocols.
  • Issues only exploitable with “clickjacking”.
  • Vulnerabilities that require a victim to install non-standard software or otherwise take active steps to make themselves be susceptible.
  • Vulnerabilities which include/require social engineering of our employees or customers.
  • Attacks requiring physical access to a device or system.
  • Hypothetical attack chains where an identified vulnerability only together with an assumed/hypothetical situation would lead to a security issue.
  • Missing cookie flags on non-sensitive cookies.
  • Missing http security headers which do not lead directly to a vulnerability.
  • Presence of banner or version information unless correlated with a vulnerable version.

Hall of Fame

The following people have reported valid security issues and helped us make Bühler more secure.




Gokul Sudhakar

April 2023

Reported two issues in services of third party providers.

Shlok K

February 2023

Reported a security misconfiguration on a publicly exposed system.

Himanshu Sondhi

February 2023

Reported a vulnerability in a publicly exposed test system.


January 2023

Reported two authentication/authorization issues on API endpoints of a web application.

Vishal Vishwakarma

January 2023

Reported a vulnerable component in a service of a third party provider.

Raju Basak+ Pagli 

November 2022

Reported a valid vulnerability in a web application.

Bibek Shah

October 2022

Performed and reported subdomain takeover on two subdomains

Haidder Ali Chatha

September 2022

Reported several valid vulnerabilities in a web application

Shashank Sawant

  May 2022

Reported a valid vulnerability in a web application.

Huzefa Surme

January 2022

Reported a valid vulnerability in a web application.

Rushabh Vyas

January 2022

Reported a valid vulnerability in a web application.

Ravindra Dagale

October 2021

Reported a vulnerable, outdated component in a web application.

Yunus Yildirim

October 2021

Reported a valid vulnerability in a web application.

Mohammed Eldawody

August 2021

Reported four valid findings with well documented explanations.