Reporting vulnerabilities and security gaps in connection with ekey products and services

ekey’s Product Security Incident Response Team (or “ekey PSIRT” for short) offers customers, partners, testers, and security experts a central point of contact and a consistent process for reporting security gaps identified in ekey products and services. The focus of the team’s work is communication with all those affected, both internally and externally.

Reports on potential vulnerabilities or other incidents are expressly welcome from everyone – regardless of customer status.

How do I report a security gap?

Have you noticed a potential vulnerability or security incident in connection with an ekey website or an ekey product, or have you discovered a data protection problem? Please proceed as follows.

Include as much information as possible in a report so we can process it quickly. For website or product vulnerabilities, add the following information:

  • Contact information
  • Affected product including model and firmware version (if known)
  • URL address for vulnerabilities on websites
  • Detailed description of the vulnerability (if possible with evidence)
  • Impact of the vulnerability (if known)
  • Current awareness of the vulnerability (Are there any concrete release plans?)
  • CVSS score (if known)

We recommend encrypting all communications with the ekey PSIRT:

  • Download the PGP public keys
  • Fingerprint scanner: D7AD 73CD 31A1 E5FE 0B67 6037 D805 C2B3 679A 159B

Send your message to psirt@ekey.net.

What can you expect when you report a vulnerability?

  • You will receive a reply from the PSIRT within seven days. In this phase, the receipt of your report is confirmed and the reported vulnerability is forwarded to the responsible product and application team at ekey for processing.
  • Once the issue has been confirmed as a security gap, you will also be notified and a remediation plan will be created. The impact, severity and complexity are taken into account when prioritizing remedial measures.
  • Throughout the vulnerability handling process, our team ensures that information about the vulnerability is only shared between the relevant processors. You are requested to keep the information confidential until a solution is available for our customers.
  • Maintaining communication between all parties involved, both internally and externally, is an essential part of ekey’s PSIRT process. The entire process up to the elimination of the reported vulnerability is accompanied by regular status updates to you.
  • We will not take civil action or file a complaint with law enforcement if disclosure is made responsibly.