Rieter Vulnerability Disclosure Policy (VDP)

Rieter acknowledges the valuable role of independent security researchers acting with good intentions to help us maintain the safety and security of the websites of Rieter and its subsidiaries. Rieter welcomes the responsible reporting of any security vulnerabilities found on Rieter websites.

We ask you to disclose information about security issues in a responsible manner and in accordance with this policy. Please read the following policy carefully before you test and/or report any security vulnerability and ensure to follow the rules. 

Scope of this policy

All publicly facing websites of Rieter that are reachable by default are in scope of this policy. This explicitly includes the following domains:

rieter.com
accotex.com
temco.de
graf-companies.com
suessen.com
novibra.com
ssm.ch
rieterchina.cn

What Rieter expects from independent security researchers discovering and reporting vulnerabilities

  • Disclose issues as soon as possible via the vulnerability disclosure form located on XXXXX.
  • Provide valid contact information.
  • Respond when we have a question for you.
  • Include as much information as possible in your report to help us to recreate the issue (for details, see “How to report a vulnerability” below)
  • Use vulnerabilities only to the extent necessary to report. Do not use vulnerabilities for any other purpose.
  • Do not violate the privacy of others or interfere with our systems. Do not destroy data or harm user experience.
  • Only interact with test accounts that belong to you or for which you have the verifiable explicit permission of the relevant account holder.
  • Do not discuss the security vulnerability you have discovered with anyone other than the affected vendor, the respective system owner and Rieter during the disclosure process.
  • Do not perform actions that may negatively affect Rieter or its clients, like denial of service or spam.
  • Do not install malware or viruses.
  • Do not perform attacks that negatively impact the performance of systems of Rieter, such as brute forcing of any kind, fuzzing, etc. without any throttling.
  • Do not access any non-public applications and systems, e.g. via lateral movement.
  • Do not steal, destroy or corrupt, or attempt to steal, destroy or corrupt data or information of Rieter.
  • Do not attempt to gain access to a system using brute force or social engineering techniques.

What reporters can expect from Rieter’s VDP program

  • Rieter will treat reports as confidential and will not share the personal data of the reporting parties or receiving organization without their respective consent.
  • You will receive an acknowledgement of receipt within 5 business days of disclosing the issue. Rieter will review the report within 10 business days.
  • Provided you have given your consent, we will credit you by name as the reporter of a vulnerability.
  • Wherever possible, Rieter will keep you, the reporting party, informed of developments and the remedy for the vulnerability.

Rieter will not pursue legal action against individuals who report vulnerabilities in good faith within the scope of this policy, and without causing harm.

Currently, the Rieter VDP program does not offer any compensation to reporters.

How to report a vulnerability

Report any details of an identified or alleged vulnerability via our GObugfree . Please include detailed information with steps for us to reproduce the vulnerability, such as:

  • Technical description
  • Sample code to demonstrate the vulnerability and/or detailed steps to reproduce
  • Tools or scripts used
  • Threat/risk assessment
  • Date and time of discovery
  • Your contact information 
XS
SM
MD
LG
XLG