KÄRCHER PRODUCT AND SERVICE SECURITY REPORTING AND ADVISORIES
Responsible Disclosure Policy
Alfred Kärcher SE & Co. KG (here short "Kärcher") is responsible for the IoT products as well as for the reporting procedure under this policy. The Alfred Kärcher Vertriebs-GmbH, a wholly owned subsidiary of Kärcher is responsible for hosting this reporting homepage only and has no role in the process of handling any reports filed through the reporting homepage.
1. Values and Principles
Cybersecurity (here short "security") is immensely important for Kärcher's IoT products and digital services. We pursue a security-by-design approach and are committed to keep the safety and security of our IoT products and digital services along their lifecycle. However, cybersecurity is a moving target and the security environment will evolve continuously. New insights, attack-capabilities, and vulnerabilities can be discovered any time. Although we design our products with security from the start, they never can reach a 100 % perfect security.
Kärcher is committed to continuously support and improve the state of security of its IoT products and digital services. Therefore Kärcher wants to closely work together with the security community. We welcome and encourage researchers, authorities, business partners, and other private and public actors to contact us about security-issues, vulnerabilities or possible exploits etc. in relation to our IoT products and digital services. We regard each relevant security-information that will be provided by a third party as a valuable piece of our cybersecurity architecture.
2. Conditions of Reporting and Disclosure
Kärcher will make communication with the security community as easy and accessible as possible. However, the following points are important so that we can respond to reports quickly and effectively:
- Reports can be send in English and German
- No contracts or Non-Disclosure Agreements are required
- Reports must refer to
- a Kärcher IoT product that means the products bares the Kärcher logo and has some sort of connectivity (wifi, bluetooth, zigbee etc.) or
- a digital service provided by Kärcher over the internet
- We encourage reporters to use encrypted email-communication.
- Kärcher will not pursue legal claims or charges of any kind in relation to the reporting of findings, vulnerabilities, and exploits etc. giving the following circumstances:
- The reporter does not cause harm to Kärcher and/or its affiliates, customers, suppliers or partners
- The reporter does not compromise the privacy or safety of Kärcher and/or its affiliates, customers, suppliers or partners or the operation of Kärcher's services
- The reporter retains from publishing his/her findings until Kärcher has been able to provide a fix for it
- A reporters testing must not violate any law, or disrupt or compromise any data or confidential information that is not his/her own.
2.2 Required Content for a Report
- Affected IoT product (preferable with type name or serial number) or digital service (identified by full domain name or URL)
- Contact information of reporter for further communication (identifiable or anonymous)
- Detailed description of effect, insight or vulnerability (if possible with logs, images, or other additional material to reproduce the finding)
- Title or category of finding (if possible based on OWASP or CWE database)
- If known: Impact, dependencies or other effects of finding
- If known: CVSS3 score of finding or estimation of CVSS-like parameters (e.g. privileges required, user Interaction required, attack-tools availability etc.)
- If known: Awareness of the finding, vulnerability, exploit etc.
Note: We will analyze each report-input. The more information we receive the better we can respond to the report. If we do not receive sufficient information, it may be the case that we have to set the report on hold or not follow it up.
2.3 Process of Disclosure
- Conformation of receipt of the report within 3 business days
- Response with first assessment or additional question within 10 business days
- Final response and security measure depends on complexity of the finding
- Each reporter will be notified when the finding has been fixed
Further applicable provisions
To ensure a quick and appropriate response, we recommend using our contact form.