Why should one report vulnerabilities? We would like to explicitly encourage everyone, not just HIMA customers, to give feedback on all HIMA products and solutions. All data and especially all personal data will be handled strictly confidential without the need of a nondisclosure-agreement. Reporting vulnerabilities enables Vendors to fix these vulnerabilities and inform customers about mitigation measures, workarounds and fixes. This approach helps HIMA to improve the robustness and reliability of HIMA products and solutions. And most important HIMA customers are enabled to manage security risks.

How can one report vulnerabilities? We beg everyone to report any security related vulnerability of HIMA product or solution. The more comprehensive, precise and detailed the information is PSIRT receives the more efficient the further steps can be executed. (please also see “Suggested Content”) HIMA offers 4 ways to contact:

1. Standard Support support@hima.com
   
2. E-mail to psirt@hima.com / Public Key
   
3. Indirect via our Partner CERT@VDE: https://cert.vde.com/helper/reportvuln/
   
4. Whistlerblower System (anonymous)
   

Preferred languages are English and German.

Who will receive the report?
HIMA ensures that the report is available to the necessary specialists to fix the described problem. And only to this HIMA employees. No external people will be able to access the report.
HIMA ensures that the reporting party's contact information is kept private unless the reporting party specifically requests that the contact information is disclosed.

What will be done with the report?
HIMA PSIRT is a central, interdisciplinary team at HIMA Paul Hildebrandt. HIMA PSIRT will review the impact and relevance of the reported vulnerability on HIMA products and solutions.  

How long will it take until HIMA will react?
The reception of a reported vulnerability will be typically confirmed within 2 workday. 

How long will it take until the issue is solved?
HIMA has the special situation that the safety and security development process with industrial requirements have to be synchronized. Typically the timeline for mitigation measures or fixes is therefore longer than in other sectors. Therefore we have to beg for patience. If whished HIMA will keep close contact with the reporting party.
Since lots of HIMA components and systems are provided as parts of critical equipment, HIMA begs the reporting party to coordinate the disclosure of information. This is to avoid the disclosure until appropriate mitigation measures, workarounds or a real fixes are available.

How does the public get informed on the result?
In the case of a Critical or High rated vulnerability a CVE will be requested and security advisories will be published on our partner platform CERT@VDE. Medium and Low criticality will be published with the next product version in the release-note.
Customers can either register for an RSS/Atom feed or can directly look for HIMA products and solutions (https://cert.vde.com/de/advisories/vendor/hima/) 
In extreme cases (e.g. functional safety is endangered) the affected customers will be contacted directly as far as possible and as soon as possible.
We will always weigh if and when we report a vulnerability (responsible disclosure). In very rare cases HIMA might also comment vulnerabilities that do not affect HIMA products and solutions.

What is in the advisory?
An advisory reflects the relevant facts and history of the vulnerability. 

Here is a guideline for valuable information (all information is voluntary)  

• Personal contact (Name, Organization, E-mail, Telephone, Country)
• Description of the Vulnerability (effect, how to reproduce, logfiles, pcap, CWE-ID, CVE-ID if available)
• Name of the affected product (HIMax (CPU, COM, IO), HIMatrix, HIQuad, OPC-UA, SILworX…)
• Software Version of the affected product
• Serial number of the affected product
• Additional Comments
• Disclosure (Do you plans to disclose, or is the vulnerability already disclosed
• Can or should we contact you?