Report a cybersecurity issue
Contact us Cookie Policy Privacy Policy Terms Of Use Corporate Information Report a cybersecurity issue
Have you identified a cybersecurity issue in our infrastructure or products and services portfolio?

Feel free to contact our cybersecurity teams in case of a cybersecurity-related issue, and particularly if you want to report a potential vulnerability. Please bear in mind that only emails composed in English can be considered and encrypted communication is preferred.

Contact for Products and Services
Email: OT_disclosure@siemensgamesa.com
PGP Public Key and Fingerprint:
F664 188E F570 4E20 67F0  B5B5 C41A 8534 ECCC B6F4
Contact for Corporate Systems & Infrastructure
Email: IT_disclosure@siemensgamesa.com
PGP Public Key and Fingerprint: AFD0 369A A14A 83A9 A2B1 E7B7 15D8 8F52 8384 A252
 

Please, consider the next Vulnerability Disclosure Policy guidelines to support you in the correct reporting process:
General Guidelines
  • Notify Siemens Gamesa as soon as possible after discovering a real or potential cybersecurity issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
  • Provide Siemens Gamesa a reasonable amount of time to resolve the issue and not disclosing it publicly before a mutually agreed-upon timeframe.
  • Do not intentionally compromise the intellectual property or other commercial or financial interests of any Siemens Gamesa personnel or entities, or any third parties.
  • Adhere to the applicable laws and comply with all applicable software license requirements.
  • Once established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information or trade secrets of any party), test must stop and notify Siemens Gamesa immediately, without disclosing achieved data.
  • Purge Siemens Gamesa’s stored nonpublic data upon reporting an issue.
  • The recommended information for a correct and detailed disclosure of the issue should include:
  1. Clear and detailed description of issue.
  2. Proof of the existence of the issue (screenshot, link, etc.).
  3. Clear and detailed information on how the issue has been discovered.
  4. Timeline or some information about the moment the issue was discovered.
  5. Any type of information deemed necessary to locate and resolve the issue in the fastest and most efficient way possible.
Actions not allowed
  • Vulnerability scanning could not serve as a pretext for attacking a system or any other target and identified vulnerabilities must not be exploited in any way. Several actions must be avoided, including:
  1. Using social engineering
  2. Findings from physical testing such as office access (e.g. open doors, tailgating)
  3. Compromising the system and persistently maintaining access to it
  4. Changing the data accessed by exploiting the vulnerability
  5. Using malware
  6. Using the vulnerability in any way beyond proving its existence
  7. Using an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems
  8. Using brute force to gain access to systems
  9. Sharing vulnerability with third parties
  10. Performing DoS or DDoS attacks
Awards, rewards and thanks
  • Siemens Gamesa sincerely thanks and appreciates the work of the issue disclosure, but currently does not consider any economical reward nor public recognition.
Share

Further information about data protection can be found in our privacy policy.