Vulnerability Disclosure Policy

BORA Vertriebs GmbH & Co KG always strives to offer its customers first-class, highly reliable products and services. We do this by checking every security vulnerability that is reported after being discovered by partners, customers or external experts.

This policy applies to all security vulnerabilities that you would like to report to us. We recommend that you read this policy in full and act in accordance with its provisions. This ensures that vulnerabilities are correctly identified and treated as such. BORA Vertriebs GmbH & Co KG appreciates the time and effort taken to report vulnerabilities. However, please note that BORA Lüftungstechnik GmbH does not offer monetary compensation for vulnerability disclosures. 

If you think that you have found a security vulnerability, please submit your report using this link or by email (link to form/email address) and include the following information:

  • URL or IP where the vulnerability can be found
  • A short description of the type of vulnerability (e.g. “XSS vulnerability”)
  • Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps ensure that the report can be processed quickly and accurately. It also reduces the likelihood of duplicate reports, or the malicious exploitation of some vulnerabilities, such as subdomain takeovers.

Once you have submitted your report, we will start by triaging and remedying the vulnerability. We aim to respond to reports within 10 working days and work on them within 14 working days. We will keep you updated about our progress. We assess the priority of the remedial measures based on the impact, severity and complexity of the vulnerability. As a token of our appreciation, we may include the names of those who have discovered vulnerabilities on our thank-you page, provided they consent to us doing so.

 

Guidance

You must not

  • break any applicable laws or regulations;
  • access unnecessary, excessive or significant amounts of data;
  • modify data in the organisation’s systems or services; 
  • use high-intensity, invasive or destructive scanning tools to identify vulnerabilities;
  • attempt or report any kind of denial-of-service attack, e.g. overwhelming a service with a high number of requests; 
  • disrupt the organisation’s systems or services; 
  • submit reports detailing vulnerabilities that can’t be exploited, or submit reports that tell us that the services don’t fully conform to best practice, such as missing security headers; 
  • submit reports about vulnerabilities in the TLS configuration, such as “weak” cipher suite support or the presence of TLS1.0 support; 
  • disclose vulnerabilities or related details in any way other than that described in the published security.txt;
  • perform social engineering, phishing or physical attacks on the organisation’s staff or infrastructure; or
  • demand financial compensation in return for disclosing vulnerabilities.

You must

  • always comply with data protection regulations, and you must not violate the privacy of the organisation’s users, employees, contractors, systems or services. For instance, you must not share, redistribute or fail to properly safeguard data retrieved from the systems or services. 
  • You must securely delete all data that you have obtained as part of your investigations once you no longer need it or within one month after the vulnerability has been remedied, whichever occurs first (or as stipulated in data protection law).

 

Legalities

This policy has been designed to ensure that those who discover vulnerabilities and follow the guidance are not subject to prosecution. 

 

Reporting vulnerabilities

Please report to us vulnerabilities that you discover in IT systems and web applications belonging to BORA Vertriebs GmbH & Co KG or in products sold by BORA Vertriebs GmbH & Co KG. We will then take prompt action to remedy the vulnerability as quickly as possible.

Please follow these steps to report vulnerabilities:

  • Before you submit a report, find out which cases do not fall within the scope of our vulnerability disclosure policy and will therefore not be processed as part of it.
  • Email your results regarding the vulnerability to security@bora.com
  • Do not exploit the vulnerability, e.g. by uploading code or downloading, modifying or deleting data.
  • Do not disclose information about the vulnerability to third parties or institutions unless explicitly authorised to do so by BORA Vertriebs GmbH & Co KG.
  • Do not perform attacks on our IT systems that compromise, modify or manipulate people and infrastructure.
  • Do not perform social engineering (e.g. phishing), (distributed) denial-of-service, spam or other attacks on BORA Vertriebs GmbH & Co KG.
  • Provide us with enough information that we can reproduce and analyse the issue. Please also provide us with a way of contacting you in case we have queries.