Security Policy
This page describes how to report a suspected security vulnerability affecting MicroControl products and how we handle such reports.
Reporting a Security Vulnerability
If you believe you have discovered a security vulnerability in a MicroControl product, firmware, software component, documentation package, or online service, please contact us at:
E-Mail: incident (at) microcontrol.net
Please include as much information as possible to help us understand, reproduce, and assess the issue. Useful information includes:
– Affected product name and product ID
– Firmware, software, or hardware version
– Serial number or device variant, if relevant
– Description of the vulnerability
– Steps to reproduce the issue
– Proof-of-concept code, logs, screenshots, or packet captures, if available
– Potential impact
– Whether the issue is already publicly known
– Your contact details for follow-up questions
Please do not include sensitive customer data, personal data, passwords, private keys, or confidential third-party information unless strictly necessary.
Scope
This policy applies to security vulnerabilities affecting MicroControl products and related digital assets, including but not limited to:
– Embedded devices and electronic control products
– Firmware and bootloader components
– Configuration tools and related software
– Product documentation where security-relevant information is affected
– Public MicroControl web services
This policy does not cover general technical support requests, feature requests, product availability questions, or non-security-related bugs. For those topics, please use the regular contact channels on our website.
Coordinated Vulnerability Disclosure
We follow a coordinated vulnerability disclosure process. After receiving a report, we will review the information, validate the issue, assess the potential impact, and determine appropriate remediation or mitigation steps.
We ask reporters to give us reasonable time to investigate and resolve the issue before making information public. We also ask that you avoid actions that could harm MicroControl, our customers, or third parties, including:
– Accessing, modifying, or deleting data that does not belong to you
– Disrupting services or production systems
– Performing denial-of-service testing
– Using social engineering, phishing, or physical attacks
– Publicly disclosing vulnerability details before coordination is complete
What You Can Expect From Us
When you report a vulnerability to MicroControl, we aim to:
– Acknowledge receipt of your report within a reasonable time
– Keep you informed about the status of our analysis where appropriate
– Work with you to understand and reproduce the issue
– Assess affected products, versions, and configurations
– Provide remediation, mitigation, or workaround information where applicable
– Coordinate public disclosure when necessary
– Credit you for the report if you request it and if legally and practically possible
Response and remediation timelines depend on the complexity of the issue, affected products, safety considerations, customer impact, supply chain dependencies, and regulatory requirements.
Security Advisories
When a vulnerability affects MicroControl products and requires customer action, we may publish a security advisory.
Security advisories may include:
– Affected product names and product IDs
– Affected firmware or software versions
– Vulnerability description
– Severity rating, such as CVSS where applicable
– Remediation, mitigation, or workaround information
– References to CVE identifiers, if assigned
– Revision history
Where appropriate, MicroControl may provide machine-readable security advisories in CSAF format.
CSAF provider metadata, if available, can be found at:
https://www.microcontrol.net/.well-known/csaf/provider-metadata.json
Product Updates and Remediation
Depending on the affected product and vulnerability, remediation may include one or more of the following:
– Firmware update
– Software update
– Configuration change
– Network segmentation recommendation
– Operational mitigation
– Product-specific workaround
– Customer notification or security advisory
Customers are responsible for evaluating and applying updates or mitigations in their own operational environment. For industrial and embedded environments, updates should be tested and deployed according to the customer’s safety, availability, and maintenance requirements.
Vulnerability Handling and Communication
MicroControl may coordinate vulnerability handling with customers, suppliers, CERTs, CVE Numbering Authorities, industry partners, or regulatory bodies where appropriate.
If a vulnerability involves third-party components, open-source software, or supplier-provided technology, we may coordinate with the responsible party before publishing final information.
No Warranty
Information provided under this security policy, including advisories, mitigations, and recommendations, is provided in good faith and for informational purposes. It does not create any additional warranty, guarantee, or contractual obligation beyond the applicable product agreements and statutory requirements.
Contact
For security vulnerability reports, please contact:
MicroControl GmbH & Co. KG
Security Contact
E-Mail: incident@microcontrol.net
Website: https://www.microcontrol.net
For non-security inquiries, please use the general contact options provided on our website.