Product Security Incident Response Team

PSIRT
In order to respond appropriately to any notification of potential cybersecurity vulnerabilities, SAE has established appropriate processes and measures. One of these measures is the deployment of a Product Security Incident Response Team (PSIRT), which continuously handles vulnerability reports and is responsible for correct addressing and tracking.

Contact
Encrypted e-mail address: psirt@sae-it.de
S/MIME Public Key Download

If you would like to notify us of a vulnerability, please provide the following information:

  • Contact details of the “reporter” (name, company, email, phone, …).
  • Description of the vulnerability
  • Affected product, software / firmware version
  • Assumption of whether the vulnerability has already been exploited
  • Indication, if an exploit already exists
  • Impact of the vulnerability
  • Indication, if one wants to be named as discoverer of the vulnerability
  • Comments
  • File (for upload) with further information e.g. if a tracking ID already exists

Process

Security message
Once a report of a potential cybersecurity vulnerability is received by the SAE PSIRT, acknowledgement of receipt is sent within 7 business days to the contact provided in the report.

First evaluation
The SAE PSIRT analyzes the vulnerability described in the notification, its severity, and its impact on SAE products. Depending on the complexity of the vulnerability described, queries are sent to the contact stored in the notification. No later than 14 working days after acknowledgement of receipt, a preliminary vulnerability report is prepared by the SAE PSIRT and shared via a pre-agreed secure communication channel with the contact deposited in the notification.

Investigation
The SAE PSIRT works closely with the appropriate development departments and 3rd party component suppliers to identify the root cause of the reported vulnerabilities. The contact on file in the notification will be informed of progress in this phase.

Remediation
The SAE PSIRT works with the development departments to provide a final fix for the vulnerability. If the reported vulnerability poses a high risk to SAE customers and a final fix would take too much time, temporary measures will be published by SAE. The contact filed in the notification will be informed of the planned compliance horizon.

Disclosure
The SAE PSIRT publishes relevant information about the reported vulnerability and corresponding patches or actions in the Security Notifications section of the website.

Disclaimer
SAE reserves the right to modify the process described herein at any time or to deviate from the process for cause.

Our security concept

cybersec-small

PSIRT

Read more
Sicherheitsmeldungen 2

Security notifications

Read more