Vulnerability Disclosure Policy (VDP)

Introduction 

Sulzer acknowledges the valuable role of independent security researchers acting in good faith to help maintain the safety and security of our data, that of our citizens and that of our customers, as well as the reliability of our products and services. We therefore welcome responsible reporting of any vulnerabilities identified in digital assets owned, operated or maintained by us.
This policy outlines the steps for reporting vulnerabilities to us. Please review the policy carefully before you test and/or report a vulnerability. We are committed to collaborating with security researchers to verify and address any potential vulnerabilities that are reported. 

Bug Bounty Program


Scope 

Any public-facing digital assets owned, operated or maintained by Sulzer. 

 

Out of Scope 

Please note that we use services from other companies and/or organizations for some parts of our systems and infrastructure.
Vulnerabilities discovered or suspected in these systems should be reported to the appropriate entity, vendor or applicable authority. Otherwise, we will bring the vulnerability to the attention of the relevant organization, but the owner of the affected IT system remains responsible for the system and any remediation activities.

 

Our Commitment 

When working with us, according to this policy, you can expect us to: 

  • Respond in a timely manner, acknowledging receipt of your vulnerability report. 
  • Work with you to understand and validate your report.
  • Enter into open dialog to discuss issues.
  • Work to remediate discovered vulnerabilities in a timely manner. 
  • Provide an estimated time frame for addressing the vulnerability report. 
  • Strive to keep you informed about the progress of a vulnerability as it is processed. 
  • Notify you when the vulnerability has been fixed.
  • Recognize your contribution if you are the first to report a unique vulnerability that triggers a code or configuration change.  
  • Provide a legal Safe Harbor for your vulnerability research that is related to this policy.

 

Our Expectations 

While participating in our vulnerability disclosure program, we ask you to: 

  • Play by the rules and instructions described in this policy.
  • Comply with all applicable laws in connection with your report and your interaction with us. 
  • Report any vulnerability you’ve discovered promptly.
  • Do not exploit or use discovered vulnerabilities for any purpose other than reporting them to us.
  • Avoid violating the privacy of others, disrupting our systems, destroying data, or degrading the user experience.  
  • Use only the official disclosure channels to discuss vulnerability information with us.  
  • Maintain the confidentiality of any discovered vulnerability details in accordance with this policy.
  • If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required to effectively demonstrate a Proof of Concept; cease testing and submit a report immediately.  
  • Only interact with test accounts you own or for which you have explicit permission from the account holder.  
  • Do not engage in extortion.  
  • Provide a reasonable amount of time for us to resolve the issue. 
  • Coordinate with us before disclosing vulnerabilities publicly. 

 

Sulzer does not permit the following types of security research: 

While we encourage you to report to us any vulnerabilities you find, the following conduct is prohibited:

  • Performing actions that may negatively affect our systems or our customers (e.g., phishing, spam, brute force, denial of service, etc.)
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
  • Conducting any kind of physical or electronic attack on our personnel, property, buildings or infrastructure
  • Social engineering our employees, customers or contractors

 

Coordinated Vulnerability Disclosure (CVD)

We value the efforts of external security researchers who identify security vulnerabilities and responsibly disclose them so they can be fixed. Our policy is to allow publication, provided the following conditions are met (Coordinated Vulnerability Disclosure): 

  • The reporting individual does not publish the vulnerability prior to us confirming a fix has been released and that it is acceptable to publish.
  • The reporting individual does not publish exact details of the issue, such as exploits or Proof-of-Concept code. 

 

Official Channels 

Please report security issues via Bug Bounty, providing all relevant information. Do not submit reports from automated tools without verifying them. The more of the following details you can provide, the easier it will be for us to triage and fix the issue: 

  • Technical description of the vulnerability, including: 
    • Browser information (type and version) used   
    • Relevant information about connected components and devices 
    • Impacted platform(s) URL(s)  
  • Sample code to demonstrate the vulnerability and/or detailed steps to reproduce  
  • Threat/risk assessment  
  • Date and time of discovery  
  • Contact information  
  • Possible disclosure plans  

Please note that these channels are for reporting undisclosed security vulnerabilities only and must not be used for any other support or information requests. Inquiries sent there that do not relate to undisclosed security vulnerabilities will not receive any response.   

 

Legal Safe Harbor 

  • We will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good-faith violations of this policy.
  • We interpret activities by participants that comply with the policy as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis and 144bis. 
  • We will not file a complaint against participants who attempt to circumvent the security measures deployed to protect the services covered by this policy. 
  • If legal action is initiated by a third party against a participant and the participant has complied with the policy as outlined in this document, we will take the necessary measures to inform the authorities that the participant’s actions were in compliance with this policy. 
  • For minor breaches, a warning may be issued. For severe breaches, we reserve the right to file criminal charges. 

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research complies with this policy, please submit a report through one of our Official Channels before proceeding with your research. 
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

Notice on Data Processing in the Context of the Bug Bounty Program

All data processing is exclusively handled by the Bug Bounty platform [BugBounty.ch], operated by Bug Bounty Switzerland AG. 

Sulzer only receives the selected information necessary to analyze and address reported vulnerabilities. The complete processing, storage and handling of the data is the sole responsibility of the Bug Bounty platform provider.

For detailed information on the processing of personal and security-related data by the Bug Bounty platform, please contact the provider directly at:
https://www.bugbounty.ch/datenschutz/ or privacy@bugbounty.ch.

 
 
Contact us