In the event that you have discovered a technical vulnerability in an IT system of the Frutiger Group, we encourage you to report it to the Frutiger AG IT Department using the Coordinated Vulnerability Disclosure program:
- Do not discuss the security vulnerability you have discovered with anyone
- Do not publicly disclose the vulnerability until we have been given enough time to remedy it
- Do not leverage vulnerabilities to download, modify or delete any data beyond the minimum necessary actions to provide a proof of concept.
- Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to provide a proof of concept.
- Do not attempt to gain access to a system using brute force or social engineering techniques.
- Do not use denial of service attacks.
- Do not install malware or viruses.
- When possible, specify in your report what IP addresses you were using when you discovered the vulnerability, this will help assess potential exploitations and reducing false positive alerts.
- Communicate your intentions to the Frutiger Group if you plan to disclose your findings publicly (advisory, conference talk, article, etc.).
When possible, specify in your report what IP addresses you were using when you discovered the vulnerability, this will help assess potential exploitations and reducing false positive alerts.
Communicate your intentions to the Frutiger Group if you plan to disclose your findings publicly (advisory, conference talk, article, etc.).
If a vulnerability affecting Frutiger Group is submitted in compliance with the specified rules above and the reporter acts in good faith, without fraudulent intent nor intention to harm, the Frutiger Group will not pursue civil or criminal action against you.
You will receive an acknowledgment of receipt within 3 business days of disclosing the issue.
Currently, the Frutiger coordinated vulnerability disclosure programme does not offer any recompense to reporters.
Contact it-security@frutiger.com