Responsible Disclosure Policy

Information, data and its supporting processes, information systems and networks are vital to the business of Bühler and our customers and other business partners. The preservation of confidentiality, integrity and availability of valuable information is a major aspect to value the trust our customers and business partners place in us. If you found security issues or vulnerabilities, we would be very happy if you report them to us. The following document describes the framework on how such reporting and responsible disclosure is defined for Bühler.

Reporting

The Bühler Information Security team is the point of contact for such reports and can be reached at security[at]buhlergroup.com.

When reporting security weaknesses please include the following elements:

Type of vulnerability.
Exact description of the vulnerability and the affected elements/assets.
A clear description of why you think it is a security issue or vulnerability.
Additional helpful information such as steps to reproduce the issue, screenshots, proof of concept scripts and similar.

Guidelines

To encourage responsible disclosure, we ask all researchers to comply with the following general guidelines:

Bühler has enough time (min. 60 days) to verify a report and to implement a fix. Do not disclose any information during this time to thirds or the public without our approval.
Any testing activity must not impair Bühler services and products. Do not run “denial of service” attacks/tests.
Do not obtain, modify, or destroy any potential sensitive information when an identified vulnerability allows you to do so.
Do not provide reports from automated scanners without manual verification of the vulnerability.

If you follow these guidelines we commit to:

Not pursue or support any legal action related to your research.
Work together with you to understand and remediate the issue quickly including an initial confirmation of your report within 5 days of submission.
Consider bounty depending on the criticality of the finding and the affected information/system/service but in any case, if the finding is in-scope of this policy and if you wish so, we will add you to our hall of fame below. This applies if you were the first one reporting the issue and the issue is not already known to us. Please note that if the identified issue affects a third party product, software or service we may not provide a bounty but we are happy to ask the third party to consider to offer you a bounty or reward.

Scope

In-Scope Vulnerabilities

Any issue that affects the confidentiality or integrity of information in a comprehensible way (end to end) is likely to be in-scope. Examples are:

Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Authentication or Authorization Flaws
SQL injection (SQLI)
Remote Code Execution (RCE)
Local or Remote File Inclusions

Out-of-Scope Vulnerabilities

The following are considered out of scope and will not be rewarded:

Outages due to “denial of service” attacks.
Errors which do not affect the confidentiality, integrity or availability of information or the related service/asset or do not pose a direct security risk.
Leak of non-critical information.
DNS records such as SPF, MARC, DKIM.
Logout Cross-Site Request Forgery.
TLS/SSL certificate related issue such as weak ciphers or outdated protocols.
Issues only exploitable with “clickjacking”.
Vulnerabilities that require a victim to install non-standard software or otherwise take active steps to make themselves be susceptible.
Vulnerabilities which include/require social engineering of our employees or customers.
Attacks requiring physical access to a device or system.
Hypothetical attack chains where an identified vulnerability only together with an assumed/hypothetical situation would lead to a security issue.
Missing cookie flags on non-sensitive cookies.
Missing http security headers which do not lead directly to a vulnerability.
Presence of banner or version information unless correlated with a vulnerable version.

Hall of Fame

The following people have reported valid security issues and helped us make Bühler more secure.

Credits	Date	Description
Athbi	January 2023	Reported two authentication/authorization issues on API endpoints of a web application.
Vishal Vishwakarma	January 2023	Reported a vulnerable component in a service of a third party provider.
Raju Basak+ Pagli	November 2022	Reported a valid vulnerability in a web application.
Bibek Shah	October 2022	Performed and reported subdomain takeover on two subdomains
Haidder Ali Chatha	September 2022	Reported several valid vulnerabilities in a web application
Shashank Sawant	May 2022	Reported a valid vulnerability in a web application.
Huzefa Surme	January 2022	Reported a valid vulnerability in a web application.
Rushabh Vyas	January 2022	Reported a valid vulnerability in a web application.
Ravindra Dagale	October 2021	Reported a vulnerable, outdated component in a web application.
Yunus Yildirim	October 2021	Reported a valid vulnerability in a web application.
Mohammed Eldawody	August 2021	Reported four valid findings with well documented explanations.

Cookie Settings

We use cookies to make our website more user-friendly and to continuously improve your web experience. While some of the cookies may be strictly necessary for your usage of the website and its features, others help us to improve your online experience. You can accept all cookies by clicking "I accept" or reject all but the strictly necessary cookies by clicking on "Accept only strictly necessary cookies". To find further information about what cookies we use and how to manage them, please consult our Cookie Policy.

Responsible Disclosure Policy