The austrian computer emergency response team (CERT) is responsible for the KEBA Group. Additional information can be found at www.cert.at. The CSIRT is notified about all valid vulnerabilities which KEBA Group becomes aware of. Any new information and mitigating measures are shared with the CSIRT immediately.
Assurances of the manufacturer to the reporting entity
As long as reporters comply with our policy and the therin defined scope, KEBA Group makes the following assurances:
- When conducting vulnerability research according to this policy, we consider this research to be authorized, lawful, helpful to the overall security of our products, customers and users, and conducted in good faith. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. Researchers are expected to comply with all applicable laws. If there are any concerns or uncertainties whether a research activity is consistent with this policy, please submit a report before proceeding.
- We ensure that each vulnerability report is treated with the highest amount of confidentiality and information about the report or the reporter is only shared with third parties or publically after getting the explicit consent from the reporter and in accordance with the GDPR.
- We aim to give you a response to your intial report within 5 working days.
Requirements for valid vulnerabilities
For a vulnerability to be considered valid the report must adhere to the following standards:
- The vulnerability must affect at least one of KEBAs products or infrastructure.
- The vulnerability relates to publically unknown information
- The vulnerability notifications are not results of automated tools or scans without supporting documentation. We will not respond to mails which we suspect have been created by automated tools.
Code of Conduct for the reporting entity
While we will process all vulnerability reports and treat the vulnerabilities to the best extend possible, we ask you to adhere to the following guidelines:
- Vulnerabilities are not exploited beyond a proof of concept and any attack is stopped as soon as this proof of concept has been achieved.
- No Out-Of-Scope attack types are used and no Out-Of-Scope test objects are attacked. These lists can be found later in this section.
- No data is modified, manipulated, deleted or stolen.
- No tools for exploiting the vulnerability have been offered by the reporter.
The following attack types are explicitely Out-Of-Scope:
- Social Engineering
- Phishing
- (D)DoS
The following test objects are explicitely Out-Of-Scope:
- Any network infrastructure of KEBA Group
If any of the guidelines have been breached by accident, we ask you to reach out to us immediately, so we can work together to fix the issues that may have been caused by this. As long as no malicious intent is suspected our "Assurances" still apply.
Report handling process:
For full transparency we want to provide information of how the vulnerybilities disclosure process typically looks like and what are the criteria to end the process:
-
When we receive a report, we try to evaluate it as soon as possible and we aim to reply to the reporting party within 5 days .
-
We aim to reply within 10 days with a more detailed response. In it, we will also tell the reporting entity if the report has been accepted and further steps are planned.
-
Some communication back and forth may be necessary, if:
- We need more information from the reporting party.
- The reporting party requests status updates, which we encourage.
- The process is completed when one of these cases occurs:
- If we consider the information in the report to be unfounded.
- If a vulnerybility has been fixed, mitigated or the information has been made accessible to the relevant customers.
- If an adivsory has been made public but no fix or mitigation is intended. This decision is made in consultation with our CSIRT.
- We will inform the reporting party as soon as the process is deemed completed on our end.
Last modification: 05.06.2025
