As a cybersecurity research institute, Fraunhofer SIT priorities the security of its products and services. Ensuring that our software and services are secure is crucial for us. Being security researchers ourselves, we value and recognize the contributions of independent security experts and support coordinated vulnerability disclosure. Therefore, if you identify any security vulnerabilities in our products or services, we would greatly appreciate you informing us.

• We will take immediate action to rectify the vulnerability as soon as possible.
• We will give you feedback on the vulnerability report unless you do not wish to receive any.
• We will treat your report confidentially and will not disclose your personal data to any third parties without your consent or unless obligated by applicable law.
• We will treat your report confidentially and take measures to protect your personal data. For more information how we handle your personal data please refer to our privacy statement: https://www.sit.fraunhofer.de/en/privacy-statement.
• Fraunhofer SIT will not pursue legal action related to your activities of identifying vulnerabilities on our systems if you follow the guidelines in this policy. We will not take legal action against you simply for providing us with a proof of concept of the security vulnerability. This does not apply if you clearly pursue criminal intents or conduct (industrial) espionage.
• If legal action is initiated by a third party against you and you have complied with this security policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
• We will evaluate vulnerability reports based on their technical accuracy and the severity of the reported vulnerability alone without considering age, gender, social status, religion, nationality or the like.
• If you consent, we will publish your finding on our “thank you” website (https://www.sit.fraunhofer.de/security-policy/acknowledgments) and/or work with you on obtaining a CVE number for your finding that states you as the researcher who discovered the vulnerability.

The following rules ensure that we can process your vulnerability report properly. We expect all reporters to follow these rules.

• do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying other people’s data
• do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying other people’s data
• only use harmless exploits to confirm that a vulnerability is present
• do not reveal any data downloaded during the discovery to the public or any other parties
• do not reveal the vulnerability or problem to the public or other parties until it has been resolved
• do not
  
  • place malware (virus, worm, Trojan horse, etc.) on any system
  • compromise any systems using exploits to gain full or partial control
  • copy, modify or delete data from the system
  • make changes to the system
  • repeatedly access the system or share access with the public other parties
  • use any access obtained to attempt to access other systems or further expand your privileges beyond what you have achieved by validating your initial vulnerability
  • change access rights of other users

The list below provides examples of vulnerabilities that can be reported through this program. It is not exhaustive but aims to offer an overview. Vulnerabilities may be reported in services hosted by Fraunhofer SIT (e.g., the website, event registration, etc.) or in software licensed by the institute.

• SQL injection
• Path traversal
• Cross-Site-Scripting (XSS)
• Remote Code Execution (RCE)
• Information Leakage
• Improper Error Handling
• Sensitive Data Being Available Online (Information Leaks)
• Backdoors
• Insecure Default Configurations (in software developed by Fraunhofer SIT)

The following list shows examples for reports that cannot be processed as part of this policy.

• Vulnerabilities reported by automated tools without additional analysis as to whether they are false positives and how they are an issue
• Reports on outdated or vulnerable software being used without a proof of concept that the vulnerability in the software can be exploited
• Social engineering on the institute, its employees or contractors
• Attacks that require physical access to the institute or any other Fraunhofer premises
• (Distributed) Denial-of-service attacks
• Brute force or dictionary attacks to access any systems or to compromise user accounts
• Best practices not being followed by institute software or services (e.g., certificate pinning, security headers) that do not immediately lead to an exploitable vulnerability

We are happy to receive vulnerability reports on (untested) alpha / beta software or intermediate versions (e.g., nightly builds), which is provided to some customers/project partners by the Institute under special agreements. However, note that we will not publicly acknowledge findings on such preliminary versions.

If you have found a vulnerability

• send an email to security@remove.this.sit.fraunhofer.de
• encrypt your report using our PGP key //link// to prevent this critical information from falling into the wrong hands
• please submit your report in English or German
• please specify to which product, website or area you are referring and what kind of vulnerability you are referring to
• please include a proof of concept and a detailed description. The more technically precise you are, the easier it is for us to fix the vulnerability.
• please give us time to develop and roll out countermeasures, before you make technical details public (Coordinated Vulnerability Disclosure)

For ease of analysis, we recommend utilizing the following template for your report submission. The provided example is not exhaustive; instead, it demonstrates various types of reports that would be highly beneficial to us.

1. Title of the vulnerability Example: “SQL injection on example.sit.fraunhofer.de
2. ”Affected product or service Example: VUSC code scanner (Enterprise Edition), release version 1.12.0
3. Type of the vulnerability Example: Remote code execution, allows for executing arbitrary Java code
4. Preconditions for exploit
   Example 1: Account in the software required, at least “reporter” role must be granted
   Example 2: Own code must be running on the same cloud service
   Example 3: Nothing, remote attack without authentication
5. User interaction
   Example 1: Legitimate user must confirm a message, but attacker can manipulate the text of the message.
   Example 2: Nothing, no interaction
6. Technical details Example: Explanation of untrusted deserialization behind rest endpoint X of the online event planner in POST parameter Y.
7. Proof of concept Example: Provide a Python script that sends a request to the VUSC server to perform a remote code execution including the exploit and an example payload.
8. Optional: Author and contact information for further questions
9. Consent for publishing the name of the submitter on our “thank you” website and/or as part of the CVE.

If you contact us regarding your test results, we process your data to fulfill the above stated disclosure policy. A publication of your name on our “thank you” website, however, is only carried out if you consent to it. We will obtain your consent before we publish the announcement.