Working together for better security
The DURAG PSIRT is the central team for the review, coordination and disclosure of security related vulnerabilities of DURAG GROUP products. All reports of potential vulnerabilities or other security incidents relating to certified DURAG GROUP products can be sent directly to the DURAG PSIRT.
The handling of vulnerabilities is described in the document „Vulnerability Handling Guideline“.
For confirmed vulnerabilities a security advisory will be published as soon as a solution is available. If the situation requires it, a security advisory with measures to be taken will be issued even before an update is available.
We apply the highest quality requirements for DURAG GROUP products and services. Reports about security related vulnerabilities of products and services are taken very seriously and treated responsibly. The reporting of potential vulnerabilities allows us to fix vulnerabilities and inform customers with affected products. Identifying and reporting vulnerabilities can therefore contribute to our continuous improvement and enhancement of the security of products and services.
Report vulnerabilities
The DURAG PSIRT welcomes vulnerability reports from anyone, regardless of customer status, and investigates them diligently. Neither a non-disclosure agreement nor any other contract is a prerequisite or necessary for cooperation.
To ensure timely and efficient processing of vulnerability reports, we ask reporters to include at least the following information with the vulnerability report:
- Contact information and availability
- Affected product including model and version numbers
- Vulnerability classification (buffer overflow, XSS, etc.)
- Detailed description of the vulnerability (if possible with proof of concept, CWE-ID or CVE-ID if available)
- Impact of the vulnerability (if known)
- Current level of awareness of the vulnerability (are there specific plans for disclosure?)
- (Company) affiliation of the reporter (if willing to provide information)
- CVSS score (if known)
If further information is required to investigate the potential vulnerability, the DURAG PSIRT will contact the reporter.
If requested by the reporter, the reporter may be publicly acknowledged after disclosure of a new vulnerability.
Contact information
Reports to the DURAG PSIRT should be sent to the following address:
To protect sensitive information and data, encrypted messages are preferred. Accepted languages are German and English.
We publish the S/MIME certificate / public PGP key for the DURAG PSIRT on openkeys.de:
- S/MIME Certificate
- PGP Key
Finger print: BDC148CC197DF1A7803855FD06AB0B4CA985675D
For general questions and procedures regarding security related vulnerability reports, please feel free to contact the DURAG PSIRT. For all other concerns not related to security issues, please contact DURAG GROUP Service and Support.
Cooperation / Coordination
We cooperate with CERT@VDE, the first platform for the coordination of IT security vulnerabilities in the field of automation.
Security Advisories
We disclose our security advisories together with other companies on the CERT@VDE website. At the link below, you will find vulnerability advisories for DURAG GROUP products or updated security advisories:
https://cert.vde.com/en/advisories/vendor/durag/