Reporting Vulnerabilities

Pursuant to the Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, Article 14, paragraph 4

1. Product Security Incident Response Team (PSIRT)

ACR Brändli + Vögeli AG is committed to ensuring the safety of its products and services.

We welcome reports from customers, business partners, distributors, system integrators, and other third parties who identify potential security vulnerabilities in AXTON-branded products.

 

2. Reporting a Vulnerability

If you believe you have discovered a cybersecurity vulnerability in one of our products, please report it to our Product Security Incident Response Team (PSIRT).

Email:security@axton.de

Donotuse this contact for:

  • Product Support Inquiries
  • Warranty or Guarantee Claims
  • Sales Inquiries
  • General Technical Support Inquiries

Note: Inquiries regarding the topics listed above will not be processed and will remain unanswered.

 

3. Required Information

A report of a suspected vulnerability should include the following information:

  • Brand
  • Model
  • Hardware Revision (if known)
  • Software or Firmware Version
  • Detailed description of the vulnerability
  • Steps for Reproduction
  • Proof-of-Concept Material
  • Potential Impacts
  • Your contact information

 

4. Guidelines for Coordinated Vulnerability Disclosure (CVD)

ACR supports the coordinated disclosure of vulnerabilities (CVD).

However, we expressly ask that you report vulnerabilities confidentially and not disclose them publicly before countermeasures have been implemented or the disclosure has been coordinated with ACR.

4.1 SafeHarbor Clause

ACR will not take legal action against security researchers who:

  • act in good faith,
  • Prevent data breaches,
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate their existence,
  • and comply with this disclosure policy.

Thus, activities carried out in accordance with the Safe Harbor provision are considered authorized.

 

5. Response Obligations

Our goal is:

  • to acknowledge receipt of a report within 7 calendar days,
  • to conduct an initial assessment within 30 calendar days,
  • Remedial measures should be determined on a risk-based basis, taking into account the impact and criticality.

Note: The deadlines listed are targets and do not constitute a legal right.

 

6. Handling Vulnerability Severity Levels

Reported vulnerabilities are assessed using the CVSS standard and internal risk assessment criteria.

Severity Categories:

  • Critical
  • High
  • Medium
  • Low

 

7. Security-Related Software Updates

Security-related software and firmware updates are available on the respective product- or brand-specific support pages. Please check the relevant update page for your product regularly.

 

8. Policy on Security Updates

The respective support periods are specified in the product documentation and can vary significantly depending on the product type and sales volume.

Security updates are provided for supported products during the specified support period.

 

9. security.txt

0
    0
    Your shopping cart
    Your shopping cart is emptyBack to the store