Coordinated Vulnerability Disclosure

If you have discovered a technical vulnerability in icotec IT systems, applications, or hardware, please report it to icotec ag using the form below. For a compliant report, please follow our general conditions and rules.

General Conditions and Rules:
How to Submit a CVD Report to Us

  • Fill out the form below with the details of your discovery.
  • Provide as much information as possible so that the vulnerability can be reproduced. This can speed up the process.
  • For more complex vulnerabilities, a direct exchange with you may be required. Provide us with at least an e-mail address or phone number.

Report Vulnerabilities

  • Only discuss the discovered security vulnerability during the CVD process with the responsible persons at icotec ag.
  • Do not make the vulnerability public before the affected parties have had sufficient time to fix the problem.
  • Do not repeatedly interact with the system after a vulnerability report during the CVD process.
  • Do not use vulnerabilities beyond what is necessary for a proof of concept to download, modify, or delete data.
  • Do not attempt to elevate privileges or explore a system beyond what is necessary for a proof of concept.
  • Do not exfiltrate other users’ data, test only with your own data.
  • Do not attempt to gain access to a system using brute force or social engineering techniques.
  • Do not use denial of service attacks.
  • Do not install malware or viruses.
  • If possible, include in your report which IP addresses you used when discovering the vulnerability so that potential exploits can be better assessed and false positives reduced.
  • Let the affected party know if you plan to make your findings public (report, presentation, article, etc.).

What You Can Expect from Our CVD Program

  • If a vulnerability relating to icotec’s systems is reported within the above rules and in good faith without fraudulent or damaging intent, icotec will not take any civil or criminal action against you.
  • You can submit your report anonymously.
  • icotec ag treats reports confidentially and only discloses personal data of the reporting parties or the recipient organization with their consent.
  • We will only name you as the person reporting a vulnerability with your consent.
  • You will receive an acknowledgement of receipt within 3 working days of reporting the problem.
  • icotec ag will keep the reporting party informed about the further development and the elimination of the vulnerability as far as possible.
  • icotec’s CVD program does not currently offer compensation for notifications.