Kendrion's products and services are subject to the highest quality requirements. Cyber security is therefore already taken into account and checked during the development phase. To ensure this over the entire life cycle of the products and services, reports of possible vulnerabilities are taken very seriously and handled responsibly. The discovery of vulnerabilities is seen as a joint effort by a wide range of parties, with the aim of offering our customers a consistently high level of security.
Kendrion Product Security Incident Response Team (PSIRT@kendrion.com)
PSIRT@kendrion.com is the central team at Kendrion responsible for responding to reports and providing information on the cyber security of products, solutions and services. All reports of potential vulnerabilities or other security incidents related to Kendrion products can be sent to PSIRT@kendrion.com.
PSIRT@kendrion.com controls the investigation, internal coordination and publication of security vulnerabilities. For confirmed vulnerabilities, a security notice will be published as soon as a solution is available. If the situation requires it, a security notice will be published with measures to be taken even before an update is available.
Our CVD (Coordinated Vulnerability Disclosure Policy) can be found here:
Cooperation with CERT@VDE
As the first IT security platform to support small and medium-sized enterprises (SMEs) in the automation industry in IT security matters, CERT@VDE enables an open professional exchange on security standards and risks. Kendrion is one of the cooperation partners and provides information on the platform about security-related incidents or potential vulnerabilities. CERT@VDE thus offers a central platform for bundling, structuring and distributing information that was previously isolated. Kendrion publishes and receives information about vulnerabilities via CERT@VDE. Via this central point of contact, customers receive information about security-relevant incidents, such as vulnerabilities in their own products or cyber attacks. In this way, Kendrion makes an important contribution to improving cyber security when operating Kendrion products.
Reporting a vulnerability
Reports of potential vulnerabilities or other incidents are expressly welcomed by everyone, regardless of customer status. Kendrion respects and takes into account the different interests of the reporters and encourages them to send information to PSIRT@kendrion.com. The vulnerability disclosure process (Vulnerability Disclosure Policy) is followed. This can be found here:
PSIRT@kendrion.com intends to work with the respective reporters to handle each vulnerability report in a confidential and professional manner. A non-disclosure agreement (NDA) or other contract is neither necessary nor a requirement for cooperation.
Coordinated vulnerability reports from all members of the security community are very welcome and appreciated. This includes security researchers, universities, CERTs, business partners, government agencies, industry associations and suppliers.
Many Kendrion products fulfil important protective functions and are sometimes used in critical infrastructures. Kendrion therefore requests cooperation in the coordinated disclosure of vulnerabilities and, at the same time, a waiver of premature publication of vulnerability information.
Please provide as much information as possible in a report to speed up the processing. The following information should be included
- Contact details and availability
- Affected product incl. model and version number
- Classification of the vulnerability (buffer overflow, XSS, etc.)
- Detailed description of the vulnerability (with proof if possible)
- Impact of the vulnerability (if known)
- Current awareness of the vulnerability (are there specific plans for publication?)
- (Company) affiliation of the reporter (if willing to provide information)
- CVSS score (if known)
- If further information is needed to investigate a vulnerability, PSIRT@kendrion.com will contact the reporter.
- At the request of the discoverer, the discoverer will be publicly acknowledged after the publication of a new vulnerability.
PSIRT@kendrion.com
You have discovered a vulnerability in a Kendrion product and would like to report it? Emailpsirt@kendrion.com
PGP key ID 642D 4313 download
PGP fingerprint 214E A7EB 7CA2 26A3 F98E 6598 DE87 EDF4 642D 4313
Encrypted messages are preferred to protect sensitive information and data. Accepted languages are German and English.- CERT@VDE
cert@VDE PSIRT@kendrion.com will be happy to provide further information on how he works or to answer general questions related to vulnerability reports. For all other non-security related inquiries, please contact Kendrion's customer service at sales-ics@kendrion.com. These inquiries cannot be answered by PSIRT@kendrion.com.
News
Current reports on vulnerabilities in Kendrion products and security advisories can be found on the CERT@VDE page.
Further informations
The following external links will provide you with further information on this topic:
- European Commission - Cyber Resiliens Act
https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act - European Commission - NIS 2 Directive
https://digital-strategy.ec.europa.eu/en/policies/nis2-directive - VDE CERT
https://certvde.com/en/ - VDMA – Cyber security
https://www.vdma.org/cybersecurity - BDI - Cyber Resiliens Act
https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html - CODESYS SECURITY
https://www.codesys.com/ecosystem/security/
