PRODUCT AND SERVICE SECURITY REPORTING AND ADVISORIES

Mitarbeiter am Computer

Responsible Disclosure Policy

Preamble

Alfred Kärcher SE & Co. KG (here short "Kärcher") is responsible for the IoT products as well as for the reporting procedure under this policy. The Alfred Kärcher Vertriebs-GmbH, a wholly owned subsidiary of Kärcher is responsible for hosting this reporting homepage only and has no role in the process of handling any reports filed through the reporting homepage.

1. Values and Principles

Cybersecurity (here short "security") is immensely important for Kärcher's IoT products and digital services. We pursue a security-by-design approach and are committed to keep the safety and security of our IoT products and digital services along their lifecycle. However, cybersecurity is a moving target and the security environment will evolve continuously. New insights, attack-capabilities, and vulnerabilities can be discovered any time. Although we design our products with security from the start, they never can reach a 100 % perfect security.

Kärcher is committed to continuously support and improve the state of security of its IoT products and digital services. Therefore Kärcher wants to closely work together with the security community. We welcome and encourage researchers, authorities, business partners, and other private and public actors to contact us about security-issues, vulnerabilities or possible exploits etc. in relation to our IoT products and digital services. We regard each relevant security-information that will be provided by a third party as a valuable piece of our cybersecurity architecture.

 

2. Conditions of Reporting and Disclosure

Kärcher will make communication with the security community as easy and accessible as possible. However, the following points are important so that we can respond to reports quickly and effectively:

2.1 General:

  • Reports can be send in English and German
  • No contracts or Non-Disclosure Agreements are required
  • Reports must refer to
    • a Kärcher IoT product that means the products bares the Kärcher logo and has some sort of connectivity (wifi, bluetooth, zigbee etc.) or
    • a digital service provided by Kärcher over the internet
  • We encourage reporters to use encrypted email-communication.
  • Kärcher will not pursue legal claims or charges of any kind in relation to the reporting of findings, vulnerabilities, and exploits etc. giving the following circumstances:
    • The reporter does not cause harm to Kärcher and/or its affiliates, customers, suppliers or partners
    • The reporter does not compromise the privacy or safety of Kärcher and/or its affiliates, customers, suppliers or partners or the operation of Kärcher's services
    • The reporter retains from publishing his/her findings until Kärcher has been able to provide a fix for it
    • A reporters testing must not violate any law, or disrupt or compromise any data or confidential information that is not his/her own.

2.2 Required Content for a Report

  • Affected IoT product (preferable with type name or serial number) or digital service (identified by full domain name or URL)
  • Contact information of reporter for further communication (identifiable or anonymous)
  • Detailed description of effect, insight or vulnerability (if possible with logs, images, or other additional material to reproduce the finding)
  • Title or category of finding (if possible based on OWASP or CWE database)
  • If known: Impact, dependencies or other effects of finding
  • If known: CVSS3 score of finding or estimation of CVSS-like parameters (e.g. privileges required, user Interaction required, attack-tools availability etc.)
  • If known: Awareness of the finding, vulnerability, exploit etc.

 

Note: We will analyze each report-input. The more information we receive the better we can respond to the report. If we do not receive sufficient information, it may be the case that we have to set the report on hold or not follow it up.

2.3 Process of Disclosure

  • Conformation of receipt of the report within 3 business days
  • Response with first assessment or additional question within 10 business days
  • Final response and security measure depends on complexity of the finding
  • Each reporter will be notified when the finding has been fixed

Further applicable provisions

All non-security related issues or reports for Kärcher's products will not be processed by this point of contact. Kärcher will inform the reporter about the decision to qualify the report as non-security related. Please contact your customer service or your responsible sales representative or dealer.

Kärcher appreciates each report and wants to apply suggested solutions to security issues wherever feasible. In order to be able to integrate code, snippets, images or other type of potential intellectual property we must ensure that they are not bound to legal claims. Otherwise security updates and patches cannot be deployed even if they solve the security issue.

Kärcher is not claiming any ownership rights to the submitted report. However, by providing any report to Kärcher, the reporter:

  • grants Kärcher the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in his/her report: (i) to use, review, assess, test, and otherwise analyze his/her report; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of his/her report and all its content, in whole or in part; and (iii) to feature your report and all of its content in connection with the marketing, sale, or promotion of this service or other services (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the report in press releases) in all media (now known or later developed);
  • agrees to sign any documentation that may be required for us or our designees to confirm the rights the reporter granted above;
  • understands and acknowledges that Kärcher may have developed or commissioned materials similar or identical to his/her report, and he/she waives any claims he/she may have resulting from any similarities to his/her report;
  • understands that the reporter will not receive any compensation and is not guaranteed credit for use of his/her report; and
  • represents and warrants that his/her report is the reporters own work, that the reporter hasn't used information owned by another person or entity, and that the reporter has the legal right to provide the report to Kärcher.

Contact form

To ensure a quick and appropriate response, we recommend using our contact form.

Provide a Security Report

Note: Please use PC or Tablet to access and fill out the refund form. The usage of the mobile version or the Internet Explorer might lead to errors in the display. We apologize for this.