Responsible Disclosure Policy
ZF takes security very seriously for our customers, our products and our staff. We appreciate your help in case you have discovered a vulnerability of our website, our products (software and hardware), our services or our web applications (such as MYTRANSICS), provided that you do such disclosing to us in a responsible manner through this Responsible Disclosure Policy. We will take immediate action when vulnerabilities or other issues are reported to us in accordance with this policy. This means that we will, inter alia, immediately engage the necessary persons within our staff as well as security researchers to overcome the issue. We will try to overcome any issue within due time and in accordance with our security and privacy commitments. We will not take legal actions against those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. However, ZF reserves all legal rights in the event of any non-compliance.
We will investigate any details you provide and respond as soon as possible. We will be thankful for your disclosure, but do not offer any financial compensation. A bug bounty program and compensation requests from your side will not be considered in compliance with this Responsible Disclosure Policy.
If you have discovered a vulnerability and want to report this to us, but you want to avoid any legal actions against you, we kindly ask you to act in a responsible manner. This means that at least the following guidelines should be respected by the reporting person:
- Do not disclose a bug or vulnerability on public notice boards, mailing lists or other public forums, prior to Responsible Disclosure Policy and an appropriate opportunity for it to be fixed.
- Do not utilize an exploit to view data without authorization, or compromise the confidentiality or availability.
- Do not perform an attack that would impact the reliability / availability of services. DDoS / Spam attacks are not allowed.
- Do not use scanners or automated tools to find vulnerabilities. They can have unintended consequences or impact.
- Never attempt non-technical attacks, such as social engineering, phishing or physical attacks, against our employees or infrastructure.
- Do not ask for compensation from an affected firm through any “marketplace” for vulnerabilities.
If you believe you have discovered a vulnerability of one of our products or (software) applications, please contact privacy.cvcsdcs@zf.com. Please do not publicly disclose suspected vulnerabilities without the prior consent from ZF.
Please send us the following details when reporting vulnerabilities: ·
- Suspected vulnerability
- Steps to enable us to reproduce the issue
- Your email address and secure mechanism to contact you
- Your name (and/or colleague’s name) if you would like to be recognized