[DRAFT] Vulnerability Disclosure Policy

Introduction

As security and reliability are essential for time management and access control software, digital ZEIT places great importance on a transparent and responsible approach to handling reported security vulnerabilities in our products and services.

With this Coordinated Vulnerability Disclosure (CVD) Policy, we establish a clear framework for how vulnerabilities are reported, reviewed, coordinated, remediated, and – where appropriate – disclosed. Our goal is to receive reports in a structured manner, assess their impact transparently, and work together with reporters as well as our development and operations teams to implement appropriate remediation measures.

The digital ZEIT Security Incident Response Team is the central point of contact for vulnerability reports. We investigate incoming reports, maintain reliable communication throughout the entire process, and inform as soon as possible about appropriate measures such as updates, patches, or workarounds – so that our solutions can be operated securely and reliably.

Reports can be submitted and processed in German or English. Our Product Security Incident Response Team (PSIRT) is responsible for product and service vulnerabilities, while our Computer Security Incident Response Team (CSIRT) handles vulnerabilities in our IT infrastructure.

Scope

This policy applies to vulnerabilities that occur in products, services, or IT systems of digital ZEIT and that may affect confidentiality, integrity, availability, or authenticity. It describes the process from reporting to coordinated review and remediation.

It specifically covers:

Products and services of digital ZEIT (e.g., software, hardware, interfaces/APIs)
IT infrastructure of digital ZEIT (e.g., web services, configurations, central operations and platform services)
Systems operated on behalf of digital ZEIT (e.g., hosting/cloud providers), insofar as digital ZEIT is responsible for operations or patch/configuration management

Outside the scope are reports concerning systems that are not within the responsibility of digital ZEIT (e.g., independent third-party providers or customer-owned environments unrelated to our products/services).

Our Promise

We promise that

every vulnerability report will be treated confidentially within the legal framework.
personal data will not be shared with third parties without your explicit consent.
every vulnerability report will receive a response.
no legal action will be taken against you as long as this policy and its principles are followed. This does not apply if criminal intent was or is clearly being pursued.
no non-disclosure agreement (NDA) needs to be signed.
a dedicated contact person will be available for trustworthy communication throughout the entire process.

Our Expectations

We expect that

the discovered vulnerability will not be exploited maliciously (no damage beyond proof of concept).
no attacks (e.g., social engineering, spam, (distributed) DoS, or brute-force attacks) will be conducted against IT systems or infrastructures.
no manipulation, compromise, or alteration of third-party systems or data will occur.
no exploit tools (paid or unpaid) will be offered that could enable third parties to commit crimes.
reports do not consist solely of results from automated scans/tools without explanatory documentation.
the information is preferably not yet publicly known.

Even if a report does not fully meet all of these expectations, we will make every effort to review and respond as best as possible based on the available information.

Anonymous reports are possible but can only be processed to a limited extent because follow-up questions are not possible.

Vulnerability Guideline

Minimum Criteria: When a Report Is Considered “Valid”

For us to classify a report as a valid vulnerability report within our CVD process, at least the following criteria should be met:

The vulnerability affects a product, service, or system of digital ZEIT or our IT infrastructure (including affected component/module/endpoint and – where possible – version/build or environment).
The report preferably refers to information that is not yet publicly known.
The report is not solely the result of an automated scan/tool without supporting and verifiable documentation.

For technical verification and remediation, we typically require additional information. If something is missing, we will ask.

Recommended Information for Efficient Processing

For a quick analysis, the following information is particularly helpful:

Step-by-step reproduction instructions including prerequisites as well as expected and actual results
Technical details (e.g., parameters, payloads, headers, configuration, request/response examples, logs)
Impact / attack scenario (what is specifically possible?)
Severity assessment (e.g., CVSS – preferably current version)
PoC or hints on exploitability (as minimally invasive as possible)
Suggested patch/mitigation/workaround

Reports That Are Generally Not Sufficient

The following reports are generally not sufficient for verification unless additional documentation/evidence is provided:

Pure results from automated scans/tools without comprehensible description, reproduction, or impact evidence
“Best practice” suggestions without concrete security impact
Duplicates of already reported vulnerabilities without new findings
Reports that exclusively concern third-party systems outside the responsibility of digital ZEIT

Already Publicly Known or Already Fixed Vulnerabilities

We still accept information about already publicly known or already fixed vulnerabilities. In this case, please clearly indicate:

Where the information was already published (source/reference)
Which digital ZEIT versions/environments were or still are affected
What new findings exist (e.g., additional affected components, new exploit path, active exploitation)

Handling Data in Reports

Please do not submit unnecessary personal data of third parties. If you inadvertently encounter personal or confidential data, minimize processing/transmission and limit yourself to the evidence required for reproduction and remediation.

Reporting Channels

Vulnerability Report via Online Form

Our reporting form: Report Vulnerability

Important: Reports can also be submitted anonymously upon request. In this case, please provide as comprehensive and precise information as possible to enable verification and assessment of the matter. Since follow-up questions by digital ZEIT are not possible, the report may otherwise not be processed.

Vulnerability Reports via Email

Send vulnerability reports by email to:

PSIRT (Products & Services): psirt@digital-zeit.de
CSIRT (IT Infrastructure): csirt@digital-zeit.de

Important: Please follow the requirements outlined in the “Vulnerability Guideline” section.

Encrypted Communication (OpenPGP):

For confidential information, we recommend encrypted communication.

PSIRT Public Key: Download psirt-publickey.asc
CSIRT Public Key: Download csirt-publickey .asc

By Phone

Calls are received by our main office, which will forward you to the appropriate contact person. For transmitting confidential information, we recommend using encrypted emails.

Tel.: +49 (0) 731 / 205557-0

Response Time & Communication

A valid contact method (e.g., email address) is required for responses and status updates.

We guarantee – except for anonymous reports – the following response times:

Initial response: within 5 business days (not automated)
Detailed feedback: within 10 business days after further analysis

This feedback will contain at least (a) a confirmation or rejection, (b) follow-up questions, or (c) an explanation of the delay with a commitment to an update within another 10 business days.

We value respectful and professional communication. Inappropriate behavior (e.g., insults or discrimination) has no place. Status inquiries are welcome.

Coordination for Actively Exploited Vulnerabilities

When we become aware of actively exploited vulnerabilities, we coordinate measures and inform our responsible national CSIRT without undue delay where appropriate. We coordinate the further course of action with the responsible national CSIRT and keep them continuously informed about relevant new findings as well as implemented and planned measures.

Coordinated Disclosure

Validated and verified vulnerabilities will generally be publicly disclosed within 90 days; a justified extension of another 90 days is possible (in close coordination with the responsible national CSIRT). Upon request, disclosure can be made in coordination with the responsible national CSIRT and/or ENISA at least via the European Vulnerability Database (EUVD).

When the CVD Process Is Considered Complete

We typically consider the CVD process complete when

the report proves to be unfounded,
the vulnerability in a service has been fixed and publicly disclosed,
the vulnerability has been addressed through patch/mitigation and publicly disclosed.

Optionally, we may close a case if the reporter does not respond to follow-up questions for at least 30 days and processing is thereby only possible to a limited extent (this naturally does not apply to anonymous reports).

Closing a case is done internally according to the four-eyes principle (at least two persons) and – where possible – communicated to the reporter with a brief explanation.

Privacy

If you inadvertently encounter personal or confidential data during your research, minimize processing/transmission and limit yourself to the evidence required for reproduction and remediation.

This policy is reviewed at least annually and updated as needed.