Theben Responsible Disclosure Policy?
Theben develops and delivers products and solutions designed to meet high standards of quality, reliability, and security. The Theben Product Security Incident Response Team (PSIRT) supports this objective by managing and resolving security issues identified in Theben products, systems, or services by external security researchers, partners, or customers.
Theben PSIRT coordinates the assessment and handling of (potential) security vulnerabilities and incidents in close collaboration with internal engineering and development teams. This includes validating reported findings, assessing impact and risk, defining appropriate remediation measures, and establishing a structured response plan. Throughout the process, Theben maintains transparent and regular communication with the reporting party.
Theben encourages coordinated vulnerability disclosure. We kindly request that reported vulnerabilities be treated confidentially and not publicly disclosed until an appropriate fix, mitigation, or advisory has been made available. Premature public disclosure may expose customers and partners to unnecessary risk.
All identified vulnerabilities are welcome, regardless of product lifecycle status or the existence of a service or maintenance contract. Theben accepts reports from independent researchers, industry associations, CERTs (Computer Emergency Response Teams), partners, customers, and other stakeholders. Anonymous reports are also accepted.
Theben commits to reviewing and addressing any reported vulnerability that can reasonably be assumed to affect its products, systems, or services, and strongly advocates for coordinated disclosure to ensure responsible risk mitigation and customer protection.
How to report a security vulnerability?
If you believe that you have identified a potential security vulnerability or security incident related to a Theben website, Theben product, service, or a data protection issue, please follow the procedure below and use the appropriate contact formular to inform us.
The Theben Product Security Incident Response Team (PSIRT) encourages responsible disclosure of vulnerabilities. Our objective is to remediate identified weaknesses in a timely manner, provide transparent and accurate information to our customers and partners, and continuously improve the security and resilience of our products and services.
What Information Should Be Submitted?
To enable efficient analysis and remediation, please provide the following information when reporting a potential vulnerability affecting a Theben product, system, service, or website:
Affected asset:
Product name, model designation, hardware and firmware/software version (if available), or the specific URL in the case of a website vulnerability.
Technical description of the vulnerability:
A clear and reproducible description of the issue, including impact assessment where possible. Please include proof-of-concept material, exploit code, configuration details, log files, packet captures, or network traces, if available.
If the volume of data is substantial, Theben can provide a secure data transfer mechanism upon request.
Disclosure status and references:
Any known public references (e.g., advisory links, issue trackers, CVE identifiers). Please clearly state whether the vulnerability has already been publicly disclosed and, if so, by whom and on what date.
Theben Commitment
We ask that any reported vulnerability remain strictly confidential and not be disclosed to third parties until remediation has been completed and coordinated communication has been agreed with Theben.
Under the Theben Responsible Disclosure framework, the Theben Product Security Incident Response Team (PSIRT), in cooperation with the responsible engineering and development units, commits to:
Confirm receipt of a vulnerability report in a timely manner. Perform a structured technical assessment and provide an indicative remediation timeline. Notify the reporting party once corrective or mitigating measures have been implemented.
The standard target for acknowledging receipt of a vulnerability report is two (2) working days, excluding weekends and public holidays in Baden-Württemberg, Germany. Progress updates will be provided as material findings become available.
Theben will refrain from pursuing legal action against reporting parties who act in good faith and in alignment with this policy, provided that:
No deliberate disruption, damage, or exploitation is carried out. Confidentiality, data protection, system integrity, and operational availability are respected. No applicable criminal laws are breached. Public disclosure is coordinated with Theben and takes place only after remediation or mitigation has been finalized.
Theben recognizes and values the contribution of security researchers and other stakeholders who responsibly report vulnerabilities. Such collaboration is essential to continuously strengthening the security, robustness, and trustworthiness of our products and services.