Feel free to contact our cybersecurity teams in case of a cybersecurity-related issue, and particularly if you want to report a potential vulnerability. Please bear in mind that only emails composed in English can be considered and encrypted communication is preferred.
Please, consider the next Vulnerability Disclosure Policy guidelines to support you in the correct reporting process:
- Notify Siemens Gamesa as soon as possible after discovering a real or potential cybersecurity issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Provide Siemens Gamesa a reasonable amount of time to resolve the issue and not disclosing it publicly before a mutually agreed-upon timeframe.
- Do not intentionally compromise the intellectual property or other commercial or financial interests of any Siemens Gamesa personnel or entities, or any third parties.
- Adhere to the applicable laws and comply with all applicable software license requirements.
- Once established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information or trade secrets of any party), test must stop and notify Siemens Gamesa immediately, without disclosing achieved data.
- Purge Siemens Gamesa’s stored nonpublic data upon reporting an issue.
- The recommended information for a correct and detailed disclosure of the issue should include:
- Clear and detailed description of issue.
- Proof of the existence of the issue (screenshot, link, etc.).
- Clear and detailed information on how the issue has been discovered.
- Timeline or some information about the moment the issue was discovered.
- Any type of information deemed necessary to locate and resolve the issue in the fastest and most efficient way possible.
- Vulnerability scanning could not serve as a pretext for attacking a system or any other target and identified vulnerabilities must not be exploited in any way. Several actions must be avoided, including:
- Using social engineering
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Compromising the system and persistently maintaining access to it
- Changing the data accessed by exploiting the vulnerability
- Using malware
- Using the vulnerability in any way beyond proving its existence
- Using an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems
- Using brute force to gain access to systems
- Sharing vulnerability with third parties
- Performing DoS or DDoS attacks
- Siemens Gamesa sincerely thanks and appreciates the work of the issue disclosure, but currently does not consider any economical reward nor public recognition.