Vulnerability Handling & Cyber Security
Reporting process for vulnerabilities in HYDAC products
Cyber security is a top priority
The HYDAC Product Security Incident Response Team (PSIRT) is the central point of contact that receives all reports on possible vulnerabilities and other cyber security-related reports regarding all HYDAC products.
We take the topic of cyber security very seriously and are grateful for any information as discovering a vulnerability helps to provide customers with a consistently high quality of security.
Help us keep our products safe by reporting a potential vulnerability via our reporting form.
Reporting & basic principles
The central point of contact for all potential cyber security-related reports that concern HYDAC products is the HYDAC PSIRT (Product Security Incident Response Team). In principle, everyone is entitled to report a vulnerability – be it customers, independent researchers or other parties.
We guarantee a confidential process for the handling of all reports related to cyber security. The first step in initiating this process is to use the reporting form.
The information required
To report and resolve a vulnerability efficiently, we ask you to provide us with the most detailed information possible.
These necessary details include:
- Detailed information on the vulnerability itself, in particular the nature of the vulnerability and its triggers.
- Information on the product concerned, including the name of the product and all relevant designations.
- The version used, specifying both the software and hardware version (if applicable) to enable accurate identification and replication of the problem.
Internal processing & analysis
Once the report has been received, all reports are recorded in a central system which enables transparent monitoring of the entire process.
The next step is the analysis:
For each report of a potential vulnerability, a dedicated review and analysis is performed to assess the validity, scope, and impact of the problem. This process involves the involvement of necessary stakeholders from different departments to ensure a comprehensive investigation and approach to the solution.
To fully clarify the situation, the person who reported the vulnerability may be consulted to get open questions answered or to obtain additional information, if necessary.
Action determination & solution (resolution)
Once the vulnerability has been successfully analysed and confirmed, the action determination phase begins. This is when the necessary steps to address the identified security issue are defined, planned and executed. This can include developing patches or updates or adjusting configurations. As soon as the solution is ready, the person who reported the vulnerability is provided with a final update on the solution that has been found and implemented.
Disclosure & cooperation
HYDAC attaches great importance to transparency and cooperation when it comes to cyber security. As a partner of CERT@VDE, we actively use this platform for the coordinated disclosure of vulnerabilities. For each confirmed vulnerability, a corresponding report is published at CERT@VDE to inform the public and relevant interest groups in a timely manner.
Important information is made available and links to published vulnerabilities such as the CERT@VDE Dashboard and the corresponding advisories of CERT@VDE are provided.
The person who reported the vulnerability has the option of being mentioned by name. To clarify this request, the registration form contains a checkbox which asks if there is consent for the person to be mentioned by name.
The proactive processing of vulnerability reports by PSIRT also prepares HYDAC for future regulatory requirements. Our process ensures that we are prepared for the rapid notification and correction of every vulnerability, which will be relevant for compliance with the CRA reporting obligations. Efficiency in addressing a security issue is a key factor.