Report vulnerabilities

We attach great importance to the security of our digital products. We therefore strive to identify relevant security vulnerabilities and address them accordingly. In this context, we welcome any information you may have.

If you have found one or more vulnerabilities in our digital products, you can contact us in confidence. Upon receipt of the report, we will investigate and address the information received regarding possible vulnerabilities as part of our processes.

We promise to

• treat every vulnerability report confidentially within the legal framework.
• not disclose personal data to third parties without your express consent.
• provide feedback on every vulnerability report made.
• not to take any legal action against you as long as you have complied with the guidelines and principles. This does not apply if recognisable criminal intentions were or are being pursued.
• to be your contact person for confidential communication throughout the entire process.

We expect you to

• not exploit the vulnerability found. This means that no damage beyond the reported vulnerability has been caused.
• not carry out any attacks (such as social engineering, spam, (distributed) DoS or brute force attacks, etc.) against IT systems or infrastructures.
• No manipulation, compromise or modification of possible third-party systems or data has been carried out.
• No tools for exploiting vulnerabilities, e.g. on darknet markets, have been offered for sale or free of charge that third parties could use to commit criminal offences.
• The vulnerability report does not consist of results from automated tools or scans without explanatory documentation. These do not constitute valid vulnerability reports.
• The vulnerability report contains information that was previously unknown. Although your information on vulnerabilities that have already been remedied will be accepted and reviewed, it does not qualify for further processing within the CVD process.
• Valid contact details (email address) must be provided so that we can contact you in case of queries. Especially in the case of complex vulnerabilities, it cannot be ruled out that we may require further explanations and documentation.

Only emails in English or German can be considered.

Vulnerability reporters who use their own reporting format (e.g. via PDF or txt) can send vulnerability reports and coordination requests directly to us by email.

Please send vulnerability reports relating to our website to csirt@goepel.com.

Please send vulnerabilities in our products to psirt@goepel.com.

We strongly recommend that you encrypt all email communication with us. Our public S/MIME and PGP keys can be found here: https://www.goepel.com/en/rules-for-communication.

For vulnerabilities on websites or in products, please report the following information:

1. Affected product, including model and firmware version (if available) or URL address for website vulnerabilities.
2. Description of the vulnerability, including proof of concept, exploit code or network traces (if available).
3. Assignment of the vulnerability to the OWASP Top 10 2021 (see https://owasp.org/www-project-top-ten). If none of the vulnerability categories apply, please describe it in more detail under ‘Other’.

You are also welcome to report vulnerabilities using the online form. Your information will always be treated confidentially.