siemens
External Program
Submit bugs directly to this organization
siemens
We want to proactively discover and remediate security vulnerabilities on our digital assets
The vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, the proportion of systems or users affected.
Security researchers are encouraged to report any behavior impacting the information security posture of siemens’ products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.
Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. *Reference HackerOne guidance on writing quality reports:
We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.
We will work with the affected teams to validate the report.
We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.
We will make a best effort to meet the following response targets for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.
Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to any property/system/service/data not listed below.
If you encounter Personally Identifiable Information (PII) contact us immediately. Do not proceed with access and immediately purge any local information, if applicable.
Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.
Submit one vulnerability per- report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
#Out of scope vulnerabilities
==#### [We have included an exhaustive list. Please delete or edit entries as you see fit, in line with your business risk]==
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations, including but not limited to:
We affirm that we will not seek prosecution of any security researcher who reports any security vulnerability on a service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.
siemens cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.
Thank you for helping keep us and our users safe!