RFC 2350 Information about the Security Team

1 Document Information
1.1 Date of Last Update

September 11, 2024

1.2 Distribution List for Notifications

1.2.1 Advisories
Advisories are published in the CONTACT Community at the following address: https://community.contact-software.com/c/news-and-announcements/security/
You may register for e-mail notification within the forum software,  to notice any new advisories.

1.3 Locations where this Document May Be Found

This document can be downloaded via HTTPS from the CONTACT Software GmbH homepage: https://www.contact-software.com/en/security

2 Contact information
2.1 Name of the Team

CONTACT Software Security Team

2.2 Address

Physical deliveries can be addressed to:

CONTACT Software GmbH
Security Team
Wiener Straße 1-3
28359 Bremen
GERMANY

2.3 Time Zone

The team operates in the timezone: Europe/Berlin Central European Time/Mitteleuropäische Zeit (CET/MEZ)
Usually accessible during typical business hours from Monday to Friday.

2.4 Telephone Number

The central office can be reached at: +49 421 20153-0
Ask to be put through to the security team.

2.5 Facsimile Number

Must not be used for security purposes, use email instead.

2.6 Other Telecommunication

None for security purposes.

2.7 Electronic Mail Address

security@contact-software.com

2.8 Public Keys and Encryption Information

The current public PGP can be fetched from the keyserver at https://keys.openpgp.org/ with the email address as listed in 2.7.
It is also listed here:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF5qRDUBEADBuzwiJYmiGtWx40kCoGqz300q77P6Wq3pxOGfQpiWu86EYYy1
N1iSYcoi05oyTFdgX3D0cnY4IwG65Uh6sjeDokyXCxO/7uLA9dIjL4iSZl4ciVOj
aEYShH/9xGBIbf87SLrzH6Ynj4LElHOujGwYNu7qCRnn1Rl/0+Xf5fL8dZWYMXX4
ibjVP+c38DqnNiif9h6QFap/Yg5WqDZI9SG5EwK9WqHWHYChCLgg3RZc6PXzfxEl
idqGS8HQRwUVcEnt7MZ+R/zy8uBsfn+CvN2OftmrXN14AiAiFBvGG9KXoikgdpxI
HB/4UE5o/WWpOmWEb4uZb2foPfPxfCVA8YsuEgx3JuBlX3RHJix/fTWfqCS2Cn+E
qGZjjUK30NCLXCLhDYW56PJCX0ZMDuBupBYsicDcQq6P57Wv7wvb0cqip9kgjeOU
VZaF1+uL8D37rP9X/3in6q7vjKL0A4n5jkdJo7+egfoRZ2lGPH3xvK7FRrJhVFuf
/NCevLlxo+VtBksFKnvgkemLobKgakK8RpqA50sJwc1YdSlQjGu1+xuTN7AiYC6I
NIUS7Tl2K5jlFmPB9ae3SIP7TLsJ6QqgbF1VUorIeNRbueVBTJIjpFCYvwcjukQ0
YiWfIxi5uLYgAFQHKF9O2sAFG5WanfeEwGAZCtqTzCF8B8uOl02RtCvZ2wARAQAB
tG9Qcm9kdWN0IFNlY3VyaXR5IFRlYW0sIENPTlRBQ1QgU29mdHdhcmUgR21iSCAo
c2VlIFJGQzIzNTAgRG9jdW1lbnQgb2YgdGhlIHRlYW0pIDxzZWN1cml0eUBjb250
YWN0LXNvZnR3YXJlLmNvbT6JAlQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AWIQQMbht+gu2ErGFc96VN587d30rB2AUCY9J2jQUJCSqZWAAKCRBN587d
30rB2IZND/9muMd8oR/TLiP+2n6rGy304tH/5aniXfNapuZ0xNXKHAxf+bzfMTke
d1GV+AKbSkZxVeAQI2qDDPu5dXtg+lEXpYUFaYu1BnnGKjc1Y6LbuHJ3cC3444E2
aD3XpPA9fvcTnpNOvOR7TE02IIrkRJFZ63GIokWVMHGnT2Ng70SqFaQxk+A9KEzs
5Ef+ROLs97nHGMkAc7AY+f6elgxIF+rJs7NP3Zju7tVSZbpw9HrmRB/kvMzqy1P8
Xov4w6WLwrhD+3IizuT9B+08IKbEawXCRIVp25JvuTFyYruiKmQMuNnyiTgGYUlV
Xhk3sfLZ7Az2BYpGlA871NK7y2xCPaIZbH8VzsqZt9MLpCE+Lq7I0LBFD2Gg1t5A
ImgtSjakw4TV36QY2/1gafryGXLZlzH5QkHKj5wZecgpv+6VgyAwrBBVImXB+JAq
c6Pf/1d0j9J2Lgyl3utWgRq2iJeFlNk1nAaNgxN70EfKBdv24cy6tJfu14YfDNtQ
A4a/CFQMuUMupADZjgaHQXqxauvFELPx9VFcxCk9KLseh4AZE/KKYgPw7eqQzPn/
q2D+DQktl0rc5QiV/1+RiHEDGM+/U7p6IX1+OLNqhQIPMniaojX0m7VbEynlD4jm
9PsaPtyKVUJzI270npwY7dw7zY+AYzh0qNvPyilOIKdYnOAeybOC1LkCDQReakQ1
ARAAuTufWtkkDsHVpq6IQbjRu88V7lVzYQ3SZT+jI8JINhyOHY2tfiWAjt+aq1G/
xn+3gmg1fw9DtQRRwvf14C40/yku/8ZUu2ED4/vbE1oMVmgXte5qEQjTgZOk9ZIW
HrT+Qo9SsvdFy3SrxqDU3/WdaZIzwg3VuuglHwtixH4mgva6G+J1OOzrLRmrrJVb
aR9VPsXw/HHRdw10DLhWsZJ6ORiTbBIFT0FwTqMTO4w1/mmJt1bxpr4hJfhSdbRY
8ZoM1GCot6oTvGsO7COnfwfH0F9a1f52HIsgzg34dVkre5yZmUjajTvvhIRSTg+l
I3U+fF3afVgE+VK2nHmda/o9A52OZ4z+FeCjCBUz0qPlniPKUcdOgJXLHgjG8L9/
hO9XIPWTwPW1y4lMizIIHzXvUVQT++BgCP+gnJPVmjBjXYkLbrwrDiH8yoNIyQP3
Og0fSk2o2wiZznmI2torf7N4RBq4nGm7jLVJMIK4s698J1BxGf5e11CkF02Q5kKw
8gywxManAs/6h8VUzDTmDKr4wc9ET9Tcot9fQao+QE2+7hSysIjlzk81b/JPEgQp
+d7rT9udbkWY/xbAtm6VKrgpZNkauVaA6TzG1Di7D2vMO8I/nnYXfMYh/TuiFKy5
DA/jFUM4WrxRRlRVdw3Q//nm3Cupp10R0ZtBWUMIIE1uTckAEQEAAYkCPAQYAQoA
JgIbDBYhBAxuG36C7YSsYVz3pU3nzt3fSsHYBQJj0ncnBQkJKpnyAAoJEE3nzt3f
SsHYAI8QALRWI33OPIV0AiVH98iWKVlEFnYaeH25Nvm8ZrteGQSmkuVwwHaZyl28
KM0px+q6VVpvLiPf3iIBhRTxcysybrghiSJTAWFdDxyZVHEnJ0R6uq+bGpGoM/dO
+ITX4jdGLkZCNS3sWKrsRSPrp8mV0Um8QAJQ53xYXojgRH+QaStsBIW+Y1FkdyH9
+yUfMdlp7i9Ofd8mPVn2W5SH78zcKBcoYOL8X5WTxS0/x5lkEaM6OK/1Dgvtr9Xp
pnam4u5SzVciiUScgoh7D8exCyYq5Qn0N7+SPSIqABjTdhxGwztuqW/IYhv1TEhf
n/BPpDUgplO8eD8M7FJdf6g9r2OOLrwsMTyxzCFoZsaN3tc/gVNn37qbOWrUGrhK
O//Zh0nhhU9oGrbP0AXS30Ngd2AS8benjSk9whfJBd9FQJN/L7w9rM/tLTA/qIbi
jQ3atp3Suea9AS+nmffve63nbavGz9n7p50nGLf/K5WzMpuCo0/g+Wp93DRtvXsA
VNw83xPwZqHR+jVqmvitj14Yb8qwPAKzQAOaMuZdcFuOBUXS6dMpjyOABMDBPrqe
mJFzpFn+B+WYJEYeqFilffwwiHrUqDeKgMQ3KijVwCsQ0Oyhryd1DvmAnjEV8Bo6
uJ2Mayr5eqdjM07xG4/rQ9swNRDwssF3HixcOoWud1Slj0aP1BituQINBF5qRQEB
EAC9PnOzDMAQ+abDeSqWnzUyc2RVND4qvWkrnlMH4TFvLfNrQ2k95Qiz8LweQ8eT
undcAub2UFQVkGP7tHbjUUpN3sjF4kYvsixx8GnhQ3JMKYVnnACL4XN0oQjl4iyN
I/j6+2rEIaiH+lHRk5uHQ+en+1+bWyXgjKc3kjMd697su9DpdRe++AQZhIBXMjhH
dHKmQyW+ev7O7RfEw5pHTtHTn9/50aVATFAEp/ZSsbBYCZO2+TV1UjEwLzR2Xtwr
YJbauh5JEqEPEv9qQGuDXeXAwuztF3g5j2kPGdp6s3NHVMxufN49d/L6WWczuj7p
nRmuf57PH9rgLTvOB12TcvxPY8CUvYrZt9g+kmZCOHJxr7kAP5rZ3xuV+mTeTn1m
Sgvt4xDBcBPTutH0pxg2Mu8qv74ECk2zKWNAyHJ6guzf+zaXIv5GLNU/SR2HKJBv
r5tNSOB0oi5T6OX0iO75MJlCSJFD5TwKfYOCO3bGYbuuJgBQHFek1n4eUNxNA1eb
J0snoxxkAzHXYGkYPQMKdXAd5maz5TQUFZpv9qEbAodnMIXVLLQRn8adv+1nnMqv
CDaur7PpSTrwmtCpHOlgDtzdVKPAjQ+kv1Gs+33RCTcgPcBfENKDmQIOsvF+ns55
4DNFBeFPLDRxORxMkQcTBKbI0M7YDmtF8eAWlCmb778pvQARAQABiQI8BBgBCgAm
AhsgFiEEDG4bfoLthKxhXPelTefO3d9KwdgFAmPSdygFCQkqmSYACgkQTefO3d9K
wdg5RA//bdSngw8NGOyqNrAO7KzSjISFBtgOuv+J6x1bsqB8Corxfa0wMdMqRUwF
Ci2Z/Yt8qavNeP7hxpzZPYmjH9iBGkbKRz1eaOF3jAxyCNfQG8cCFzFTtNEILn8C
NcMnqqCTiSq5zQT187DkvJa+HdY0nyofsBtyhyGS3RgWb85uQX1RxhwD1S8LDx0g
QmkG3FuY8I5s9Y9fxaWMqid/5ubmB4zwtCjAyTUI97o1g/6BsXw5YwJIC2s6ogkA
yatgIvzV5ot9GdmRCnBb65KuUOltQlI1ghxWEG06GaWR97FbWX1nnC0XIv+wral0
n3VH4/6r16GmyMx8+II1HbodpnTKIKFkAaPoo+TzPp+BpS+F2uWT/f0mK3l4KKxJ
WuEKOXcb03Ya6nXDvCrr8BEx051N/y3w4ut7AcZQsKrE6p/2p+Bd4ZVFGjL69e6N
DNKR/sfYc5p/n4OOODOz42ATtArY5Semag7bMi48x7BMebALcK1jP017YJvkIBBx
3sJSydPVGAez3U+x7CwRG/9nl4vO3ZAIX6MRWSWh2mZuualAXZyI7ttIHfMYXv11
jfdMGK/v6cLQ0dnPs9ZzI6YkjtyXrLhduxt6e5UrM+mg1hgOI0GqejdbqnSInB+o
OUp1cC880QDKbxyzM5aSWfmaLCRwDj4kLr53VQ3W5wltvdO+RKI=
=Y761
-----END PGP PUBLIC KEY BLOCK-----

 

 

2.9 Team Members

No public information about team members is disclosed.

2.10 Points of Customer Contact

The preferred method for contacting the security team is via e-mail at <security@contact-software.com>. If it is not possible (or not advisable for security reasons) to use e-mail, the security team can be reached by telephone during regular office hours. The security teams' hours of operation are generally restricted to regular business hours (09:00am – 05:00pm, Monday to Friday except holidays).

3 Charter
3.1 Mission Statement

The purpose of the security team is, first, to help improve the  security of the products made by CONTACT Software GmbH, and second to assist customers and partners in responding to incidents or vulnerabilities related to CONTACT Software GmbH products.

3.2 Constituency

The security team provides its services to the following groups. The amount of services varies by group and may be subject to support contracts.

  • Employees (especially development and support related) at CONTACT Software
  • Customers using CONTACT Software products
  • Partners of CONTACT Software

Topics relating to general operations, the web site or other security related topics relating to CONTACT Software GmbH may be handled on case by case judgement. Usually those will be forwarded to the responsible persons and not handled by the security team itself.

3.3 Sponsorship and/or Affiliation

The security team is affiliated to the software development (SD) department of CONTACT Software GmbH.

3.4 Authority

The security team has authority over the software development and release process at CONTACT Software GmbH.
It has NO authority over the deployed systems at customer sites and can only act in advising mode for those. It has also NO authority over the products based on CONTACT Software GmbH products but distributed and marketed by partners. It also has NO direct authority over the website or most other operational services used by CONTACT Software GmbH.

4 Policies
4.1 Types of Incidents and Level of Support

The focus of the security team on the product part instead of the operation of a deployed system reflects in the types of incidents handled and the support provided.
The security team will provide support for the following incidents and topics. The amount of support varies by topic and involved parties and may be subject to support contracts.

  • Handle reporting of vulnerabilities in CONTACT Software GmbH products
  • Handle the disclosure process for vulnerabilities and patches
  • Provide consulting support for teams inside CONTACT Software GmbH
  • Provide tools and documentation about security topics
  • Provide advice or assistance to customers CSIRT teams when resolving incidents related or involving CONTACT Software GmbH products
  • Provide limited consulting support for customers regarding secure deployment or operations practices of CONTACT Software GmbH products
  • Provide consulting support for partners for security topics related to CONTACT Software GmbH products
4.2 Co-operation, Interaction and Disclosure of Information

CONTACT Software GmbH Security Team regards cooperation and information sharing with other CERT/CSIRTs. Information is only passed depending on its classification and need-to-know basis unless we are required to by law. CONTACT Software GmbH Security Team supports responsible disclosure methodology (see OWASP Vulnerability Disclosure Cheat Sheet) with a usual timeframe of 30 days for security patches which might be extended to 90 days if needed.

4.3 Communication and Authentication

When using email communication via the security@contact-software.com mailing address, the messages will be signed with the security teams pgp key as listed in section 2.8. The current key may be retrieved from the keyservers at https://keys.openpgp.org/. All sensitive communication to CONTACT Software GmbH Security Team should be encrypted with our public PGP key. Senders should sign their messages if possible.

5 Services
5.1 Incident Response

All incidents related to **products** of CONTACT Software GmbH will be evaluated. Incidents related to CONTACT Software GmbH services/other topics will be forwarded to the responsible business units. Senders are encouraged to use typical points of contact (if known) for those interactions as CONTACT Software Security Team is only a fallback for operational concerns. If necessary in-depth analysis is provided by technical experts.

5.1.1 Incident Triage

  • Incoming incident reports are evaluated, priorized and compared to ongoing incidents.
  • Incidents are:
    – checked whether they are comprehensible using given information
    – classified with a severity and scope

5.1.2 Incident Coordination

  • Incident related information objects (e.g. logfiles, ...) will be classified with respect to information disclosure policy.
  • All other involved internal and external parties will be notified on a need-to-know basis respecting our information disclosure policy unless we are required to by law.

5.1.3 Incident Resolution

  • The cause of the incident will be determined and its effects will be mitigated.
  • Possibly analysis of compromised systems.
5.2  Proactive Activities
  • Security Trainings for CONTACT Employees
  • Security Reviews in the secure (product) development lifecycle (SDL)
  • Secure Deployment Guides / Best practise guides
  • Development of security configuration tools
  • Introduction of new security requirements into product roadmap
  • Publication of Security Advisories
  • In-House Penetration testing & investigation of penetration testing results of customers
  • Continuous Integration / Continuous Deployment with static code analysis
  • Post-Mortem analysis to learn from the past
6 Incident Reporting Forms

No special incident reporting form is necessary. Please use the email address listed in section 2.7. Please include the following information with your reports.

  • Contact Details
  • name of person
  • name and address of organization
  • email address, telephone number, pgp key information if available
  • Short summary of the incident
  • Systems affected:
    – Product Names and Versions involved
    – Additional information
    – Details of observations that led to discovery (i.e. logfiles, screenshots, etc.)

If possible please sign your message with your PGP private key, to establish a secure communications channel.

7 Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CONTACT Software GmbH assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.