Coordinated disclosure policy
Coordinated Vulnerability Disclosure Policy of the Voith Group
Our Security Policy
Voith operates a multi-layered security concept to ensure IT security and data protection in all our products and systems. This security concept is regularly checked, among other things, by our certifications, e.g. ISO 27001.
Should you nevertheless discover security problems or vulnerabilities in our applications or systems, please inform us. We will take immediate action to remedy the vulnerability found as quickly as possible.
How to report a vulnerability
Please send all relevant findings via email to security@voith.com. You can encrypt this email with our PGP key to protect this sensitive information from third parties. Alternatively, please contact us by phone at +49-(0)7321-37-2222, quoting "Coordinated Disclosure".
Please provide us with sufficient information so that we can reproduce and analyze the problem.
As complex issues may require queries, we also ask you to provide us with a way of contacting you.
We request that you do not use the discovered vulnerability for this purpose, for example by downloading, modifying, deleting data, uploading code or giving information about the weakness to third parties.
What we promise
We will inform you about the receipt of your report, furthermore we will keep you informed about relevant results of the internal processing.
We will take appropriate countermeasures as soon as possible to close the reported vulnerability.
We will treat your report and related information strictly confidentially and will not disclose your personal data to third parties without your consent.
We will not take any legal action against you. This does not apply in cases of recognizable criminal or intelligence intentions.
The reporter is judged according to his or her abilities and not according to personal aspects such as age, gender, origin, education or social rank.
We show this respect and gratitude to every reporter by documenting the closed vulnerability in the corresponding documentation or news of the item concerned. If you wish, this can also be done by mentioning your name (or alias).
We currently have no general bug bounty program. There is expressly no legal claim to a reward. Decisions in this regard are subject to Voith's sole discretion.
Voith GmbH & Co. KGaA
PGP Key for secure communication
Please note this key is not published on public keyservers to avoid spam/phishing emails.