Reporting vulnerabilities and security gaps in connection with ekey products and services
ekey’s Product Security Incident Response Team (or “ekey PSIRT” for short) offers customers, partners, testers, and security experts a central point of contact and a consistent process for reporting security gaps identified in ekey products and services. The focus of the team’s work is communication with all those affected, both internally and externally.
Reports on potential vulnerabilities or other incidents are expressly welcome from everyone – regardless of customer status.
How do I report a security gap?
Have you noticed a potential vulnerability or security incident in connection with an ekey website or an ekey product, or have you discovered a data protection problem? Please proceed as follows.
Include as much information as possible in a report so we can process it quickly. For website or product vulnerabilities, add the following information:
- Contact information
- Affected product including model and firmware version (if known)
- URL address for vulnerabilities on websites
- Detailed description of the vulnerability (if possible with evidence)
- Impact of the vulnerability (if known)
- Current awareness of the vulnerability (Are there any concrete release plans?)
- CVSS score (if known)
What can you expect when you report a vulnerability?
- You will receive a reply from the PSIRT within seven days. In this phase, the receipt of your report is confirmed and the reported vulnerability is forwarded to the responsible product and application team at ekey for processing.
- Once the issue has been confirmed as a security gap, you will also be notified and a remediation plan will be created. The impact, severity and complexity are taken into account when prioritizing remedial measures.
- Throughout the vulnerability handling process, our team ensures that information about the vulnerability is only shared between the relevant processors. You are requested to keep the information confidential until a solution is available for our customers.
- Maintaining communication between all parties involved, both internally and externally, is an essential part of ekey’s PSIRT process. The entire process up to the elimination of the reported vulnerability is accompanied by regular status updates to you.
- We will not take civil action or file a complaint with law enforcement if disclosure is made responsibly.