Coordinated Disclosure

We kindly request the security analysts to give us sufficient time to develop a solution for closing a security hole before publishing it. The Coordinated Disclosure ensures that customers get an update on the closure of security holes and that they are not unnecessarily endangered during the development of the update. Once customers are protected, the open discussion about the security hole can help the industry as a whole to improve its products and solutions.

If Beckhoff is the supplier of a product that is suspected of being vulnerable, discoverers and coordinators of security holes should contact product-securityincident@beckhoff.com with a vulnerability report, preferably in English or German. Confidentiality is requested. Means of sending encrypted messages are described in Contact Beckhoff Incident Response Team.

Discoverers are requested to provide all necessary contact information in the vulnerability report so that queries are possible. Nevertheless, anonymous vulnerability reports will also be considered. Please provide as much detailed information as possible so that the cases can be reproduced. If the discoverer wishes to publish the discovery, Beckhoff will attempt to coordinate a suitable preliminary release date within 30 days. The discoverer is informed of the availability of solutions prior to the release date and receives the corresponding Beckhoff Advisory. Beckhoff receives the discoverer's planned publication (including requested CVE where applicable). A final release date is then agreed. On this day, both the discoverer's publication and the Beckhoff Advisory are released. If the discoverer so desires and if he adheres to the above procedure, then a note of thanks, a reference to the discoverer's publication and, if helpful, information about the discoverer's publication will be added to the Advisory.