Excluded systems or products
The following products or systems are expressly excluded from this policy, unless the owner has given their consent:
- Customer Equipment and Software: All physical equipment, machinery and software owned by a customer. This includes, but is not limited to, scales, labelers, cutters and other Bizerba hardware and software products under the control and ownership of the customer.
- Third-party systems: Systems and services that are operated by third parties and are not directly controlled by Bizerba.
Procedure
Please note the following procedure:
- Send your findings on the security issue by email to security@bizerba.com . Please use our PGP key to encrypt your documentation to ensure the security of sensitive information. For optimized communication, please use the template below.
- Do not exploit the vulnerability by downloading, modifying, deleting data or uploading code.
- Do not disclose any information about the vulnerability to third parties unless authorized by Bizerba.
- Do not carry out any attacks that could compromise, change or manipulate our IT systems, infrastructure or personal data.
- Avoid social engineering attacks (e.g. phishing), (distributed) denial-of-service attacks, spam or other such attacks against Bizerba.
- Provide sufficient information to be able to understand and analyze the problem and offer a contact option for queries.
Our promise
- We are making every effort to analyze the vulnerability as quickly as possible and close it if necessary.
- You will receive confirmation that your report has been received and feedback on your report.
- If you act in accordance with this security policy, the law enforcement authorities will not be informed in connection with your findings. This does not apply if criminal or intelligence intentions are clearly being pursued.
- We will treat your report confidentially and will not pass on your personal data to third parties without your consent.
- We will inform you about the validity and elimination of the vulnerability during the processing period.
Qualified reporting of vulnerabilities
Qualified reporting of vulnerabilities: Any design or implementation issue that is reproducible and affects security can be reported. Examples of this are
- Privilege Escalation
- Kiosk Mode Breakout
- Unauthorized Access to Properties or Accounts
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Insecure Direct Object Reference
- Remote Code Execution (RCE) - Injection Flaws
- Information Leakage and Improper Error Handling
- Data/Information Exfiltration
- Actively Exploitable Backdoors
- Unauthorized System Use
- Misconfigurations
- Data/Information Leaks
Non-qualified vulnerabilities
The following vulnerabilities are not covered by Bizerba's Vulnerability Disclosure Policy and should not be reported:
- Attacks that require physical access to the device
- Forms with missing CSRF tokens, provided the criticality does not exceed Common Vulnerability Scoring System (CVSS) level 6
- Denial of service attacks (DoS/DDoS)
- Missing security headers that do not lead directly to an exploitable vulnerability
- The use of a library known to be vulnerable without active proof of exploitability
- Reports from automated tools or scans without explanatory documentation
- Social engineering against persons or facilities of Bizerba and its contractors
- SPAM, bots, mass registration
- No submission of best practices
- Use of vulnerable and "weak" cipher suites/ciphers
Format template for a vulnerability report
- Title/name of the vulnerability
- Type of vulnerability
- Brief explanation of the vulnerability (without technical details)
- Affected product/service/IT system
- Product
- Version/model (e.g. via device passport) - Technical details and description of the vulnerability
- Proof of concept
- If necessary, point out a possible solution
- Author and contact details