CVE-2021-32499: The SICK Product Security Incident Response Team (SICK PSIRT)

Reporting a vulnerability

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

• Contact information and availability
• Affected product including model and version number
• Classification of the vulnerability (buffer overflow, XSS, …)
• Detailed description of the vulnerability (with verification if possible)
• Effect of the vulnerability (if know)
• Current level of awareness of the vulnerability (are there plans to disclose it?)
• (Company) affiliation of the reporter (if reporter is prepared to provide such information)
• CVSS score (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.