RFC 2350 Information about the Security Team
1 Document Information
1.1 Date of Last Update
September 11, 2024
1.2 Distribution List for Notifications
1.2.1 Advisories
Advisories are published in the CONTACT Community at the following address: https://community.contact-software.com/c/news-and-announcements/security/
You may register for e-mail notification within the forum software, to notice any new advisories.
1.3 Locations where this Document May Be Found
This document can be downloaded via HTTPS from the CONTACT Software GmbH homepage: https://www.contact-software.com/en/security
2 Contact information
2.1 Name of the Team
CONTACT Software Security Team
2.2 Address
Physical deliveries can be addressed to:
CONTACT Software GmbH
Security Team
Wiener Straße 1-3
28359 Bremen
GERMANY
2.3 Time Zone
The team operates in the timezone: Europe/Berlin Central European Time/Mitteleuropäische Zeit (CET/MEZ)
Usually accessible during typical business hours from Monday to Friday.
2.4 Telephone Number
The central office can be reached at: +49 421 20153-0
Ask to be put through to the security team.
2.5 Facsimile Number
Must not be used for security purposes, use email instead.
2.6 Other Telecommunication
None for security purposes.
2.7 Electronic Mail Address
security@contact-software.com
2.8 Public Keys and Encryption Information
The current public PGP can be fetched from the keyserver at https://keys.openpgp.org/ with the email address as listed in 2.7.
It is also listed here:
-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 0C6E 1B7E 82ED 84AC 615C F7A5 4DE7 CEDD DF4A C1D8 Comment: Product Security Team, CONTACT Software GmbH (see RFC23 xsFNBF5qRDUBEADBuzwiJYmiGtWx40kCoGqz300q77P6Wq3pxOGfQpiWu86EYYy1 N1iSYcoi05oyTFdgX3D0cnY4IwG65Uh6sjeDokyXCxO/7uLA9dIjL4iSZl4ciVOj aEYShH/9xGBIbf87SLrzH6Ynj4LElHOujGwYNu7qCRnn1Rl/0+Xf5fL8dZWYMXX4 ibjVP+c38DqnNiif9h6QFap/Yg5WqDZI9SG5EwK9WqHWHYChCLgg3RZc6PXzfxEl idqGS8HQRwUVcEnt7MZ+R/zy8uBsfn+CvN2OftmrXN14AiAiFBvGG9KXoikgdpxI HB/4UE5o/WWpOmWEb4uZb2foPfPxfCVA8YsuEgx3JuBlX3RHJix/fTWfqCS2Cn+E qGZjjUK30NCLXCLhDYW56PJCX0ZMDuBupBYsicDcQq6P57Wv7wvb0cqip9kgjeOU VZaF1+uL8D37rP9X/3in6q7vjKL0A4n5jkdJo7+egfoRZ2lGPH3xvK7FRrJhVFuf /NCevLlxo+VtBksFKnvgkemLobKgakK8RpqA50sJwc1YdSlQjGu1+xuTN7AiYC6I NIUS7Tl2K5jlFmPB9ae3SIP7TLsJ6QqgbF1VUorIeNRbueVBTJIjpFCYvwcjukQ0 YiWfIxi5uLYgAFQHKF9O2sAFG5WanfeEwGAZCtqTzCF8B8uOl02RtCvZ2wARAQAB zW9Qcm9kdWN0IFNlY3VyaXR5IFRlYW0sIENPTlRBQ1QgU29mdHdhcmUgR21iSCAo c2VlIFJGQzIzNTAgRG9jdW1lbnQgb2YgdGhlIHRlYW0pIDxzZWN1cml0eUBjb250 YWN0LXNvZnR3YXJlLmNvbT7CwZQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwEC HgECF4AWIQQMbht+gu2ErGFc96VN587d30rB2AUCZ8ru/wUJDSMRygAKCRBN587d 30rB2JZlD/sEzZlnS7pdRt3NfPHovA6pU/Cl700APOL+8302tSIiHIs3H3ueQB7N ZgVG2uE8zgW+P0eEi+aXw5DF5HXL8Wm1O6VQ9j2WsQX1wZhuxSNx+IlCvLCdL1Hn 20UjtYPs++CYI3k+IBup7XEHnAKqy0rOkXvdOCvNFGu2raLGzLOYZcau0YxbHgRv FU44Cbz5Tag2C2zsKMadknCnlJnflVCq9+cNbCYCLyfZJVbGz2GN9171EwBaS3U1 SS9nRQkKy2rTrOGurFXc14ys5s4ShfD/u1MF3qbFf/DckaxC5QEDkv1cTq9wyf24 M7wbLDdmMkufPCPOA/7XDjQ1kpy0kvpMzmrCXAFYp8lcCcJoo6s+YHEWRR74dOPC V3HwnsdsS2UZpzRv1iPNMmtkdI5dB8nhvj2JWH2iFOM6xiQBkLNICUI2W9Ztb1eW Q9rr+a/yL+Lw1vMuGR/paNsGQB8wTUaQbviHnSVzykEv9QfZfzVsI5D0T5UdQM9H UL/VA83KtOkXeIHLhZIoT4G48tSm4fTyA55uRSz/MSavbAqQRGIQXy8lwmzNi4yD 1YN75yFW1qpbU4Y4TSWfcax3QZ4ZB1Gdqa+LGJhY5dYCAMkkPTHLMnSKerV/2dOC 07R1IzvCGd2x83xAHBA7PvKRa4e3jqSavn29RN1knQlu09wcGn1RdMLBlAQTAQoA PgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBAxuG36C7YSsYVz3pU3nzt3f SsHYBQJj0naNBQkJKplYAAoJEE3nzt3fSsHYhk0P/2a4x3yhH9MuI/7afqsbLfTi 0f/lqeJd81qm5nTE1cocDF/5vN8xOR53UZX4AptKRnFV4BAjaoMM+7l1e2D6URel hQVpi7UGecYqNzVjotu4cndwLfjjgTZoPdek8D1+9xOek0685HtMTTYgiuREkVnr cYiiRZUwcadPY2DvRKoVpDGT4D0oTOzkR/5E4uz3uccYyQBzsBj5/p6WDEgX6smz s0/dmO7u1VJlunD0euZEH+S8zOrLU/xei/jDpYvCuEP7ciLO5P0H7TwgpsRrBcJE hWnbkm+5MXJiu6IqZAy42fKJOAZhSVVeGTex8tnsDPYFikaUDzvU0rvLbEI9ohls fxXOypm30wukIT4ursjQsEUPYaDW3kAiaC1KNqTDhNXfpBjb/WBp+vIZctmXMflC QcqPnBl5yCm/7pWDIDCsEFUiZcH4kCpzo9//V3SP0nYuDKXe61aBGraIl4WU2TWc Bo2DE3vQR8oF2/bhzLq0l+7Xhh8M21ADhr8IVAy5Qy6kANmOBodBerFq68UQs/H1 UVzEKT0oux6HgBkT8opiA/Dt6pDM+f+rYP4NCS2XStzlCJX/X5GIcQMYz79Tunoh fX44s2qFAg8yeJqiNfSbtVsTKeUPiOb0+xo+3IpVQnMjbvSenBjt3DvNj4BjOHSo 28/KKU4gp1ic4B7Js4LUwsGUBBMBCgA+FiEEDG4bfoLthKxhXPelTefO3d9KwdgF Al5qRDUCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQTefO3d9K wdjQyhAAlAKtdwW9KCe/Fd+lG+JW9D5JGLSFpi1qCHU5fZEIBpM2G/ka+Vy8XiJQ 2mz9woVTglhA1LxJHOLBLk5iSDlH2xo9uPABLLU/DHcTRQQjv8wfom28qN3lRb1x WrnKHSk7SMo7dKZNdhvlwrt0bFhtmZ9kzcaK8S2+hHa0wiVGkjxh042Y0N+gKf78 JfhVqU0VynauVuOApsCJpFgKONh0oVlQMPTYgmE3Rt/vL03eq/7RP4W4szvr42kz OHbNWvmcP+GcV4UShXo0jKpJOHHMhTw80ZHh7Me63ZrgZCLmyECe2GeES7ospUOE 8i22PhBQgtHnEubqf7AbHAII65AUOe8GNwqY08n7tCcf5ci5+25JzDJaLHEmVxZI nbZBjwwoba3DJ/1fHHXjZp2f28MF6CgNjeNecJ4sgfdgocjKZXUOE8EQg2Al8Gt/ APDz6hExw0+CcOXzN1eiyzm3AiF2QxgkfIUNRWBt9oSyGMR1yPGP5nJRQ6+wHotW J1Wv9MllRCx74kCgABZTjFUd0Hi4YNZf0IPAwRWov2fEOMEGTwWBN8PsKAzZQ7+C haHR5ovKGJlaOxed3YRKqs/2f+2p5sCP+1CK54FLZKwhVCSd0/MfeR4KwBeMzeI1 bm5bqbpE1VCuNvBRg91ChWa75aLD4p1a+gPpcUhSwGyGaO4xfEDOwU0EXmpENQEQ ALk7n1rZJA7B1aauiEG40bvPFe5Vc2EN0mU/oyPCSDYcjh2NrX4lgI7fmqtRv8Z/ t4JoNX8PQ7UEUcL39eAuNP8pLv/GVLthA+P72xNaDFZoF7XuahEI04GTpPWSFh60 /kKPUrL3Rct0q8ag1N/1nWmSM8IN1broJR8LYsR+JoL2uhvidTjs6y0Zq6yVW2kf VT7F8Pxx0XcNdAy4VrGSejkYk2wSBU9BcE6jEzuMNf5pibdW8aa+ISX4UnW0WPGa DNRgqLeqE7xrDuwjp38Hx9BfWtX+dhyLIM4N+HVZK3ucmZlI2o0774SEUk4PpSN1 Pnxd2n1YBPlStpx5nWv6PQOdjmeM/hXgowgVM9Kj5Z4jylHHToCVyx4IxvC/f4Tv VyD1k8D1tcuJTIsyCB8171FUE/vgYAj/oJyT1ZowY12JC268Kw4h/MqDSMkD9zoN H0pNqNsImc55iNraK3+zeEQauJxpu4y1STCCuLOvfCdQcRn+XtdQpBdNkOZCsPIM sMTGpwLP+ofFVMw05gyq+MHPRE/U3KLfX0GqPkBNvu4UsrCI5c5PNW/yTxIEKfne 60/bnW5FmP8WwLZulSq4KWTZGrlWgOk8xtQ4uw9rzDvCP552F3zGIf07ohSsuQwP 4xVDOFq8UUZUVXcN0P/55twrqaddEdGbQVlDCCBNbk3JABEBAAHCwXwEGAEKACYC GwwWIQQMbht+gu2ErGFc96VN587d30rB2AUCZ8rvmwUJDSMSZgAKCRBN587d30rB 2GZZD/0YI/sQa2a5l2NPwNjLh+RYQ+gzM4CuuhvaRusg+G1BkeLm15TvIuKgXpha sVuSeH9FLhdJffpPG4k23nQ9yFb/QrDwuirzZc7+6PtopEA3gyKOmBQkJ/327wJX CqNklDwNwnPhbF0XXzbe8hFzLUsnh1gy9O9ACOyqLPCufwv5OXZLkq2XSEq9cJAn Mm+MFm/8KUtfJJCyWhZgwBKxRYYM4oRQpvufvoAujVEmHoHQONPWzIjry731DdPg C9/dNoe6nphTx8MdeTBR7+tWc11yzSqu0Q8hZns8wKPtw+B7Qi1OWxn5Kt4HhGfv mYCNRGPGlUh3lT/sv300RcaqhAz//YO/bSxpJ2K0q8FMr0qideRMIknNtDnMyYIH OHjIy/AmUbEs2sZTJkCbGc7IeFxvJidfGAIIcXPbrY3MMbQXu7QBYZu6Zcr5+lOC GuJeQ2/in0koFzPLJIcrhIqr/1VYth+vkAUSHevJNEMTGJf9cUUevK/f6b4JyqG7 5WX/LJiDe2By0Vj/lOoh12BOE9K703l5/hEO9K0P9oN4K2xAwJ6S6O4sQFdnGWED MAIKVJk4J6+NhuEWactEcLROdnCFLeqRzdmvfAF0E4D+Svz/HhrnmxlSDTjqaBz4 aNUcsHfKNfQlamtyFwP/Phtc6RnSYrB0ThdIe46ZtruYQNXQCcLBfAQYAQoAJgIb DBYhBAxuG36C7YSsYVz3pU3nzt3fSsHYBQJj0ncnBQkJKpnyAAoJEE3nzt3fSsHY AI8QALRWI33OPIV0AiVH98iWKVlEFnYaeH25Nvm8ZrteGQSmkuVwwHaZyl28KM0p x+q6VVpvLiPf3iIBhRTxcysybrghiSJTAWFdDxyZVHEnJ0R6uq+bGpGoM/dO+ITX 4jdGLkZCNS3sWKrsRSPrp8mV0Um8QAJQ53xYXojgRH+QaStsBIW+Y1FkdyH9+yUf Mdlp7i9Ofd8mPVn2W5SH78zcKBcoYOL8X5WTxS0/x5lkEaM6OK/1Dgvtr9Xppnam 4u5SzVciiUScgoh7D8exCyYq5Qn0N7+SPSIqABjTdhxGwztuqW/IYhv1TEhfn/BP pDUgplO8eD8M7FJdf6g9r2OOLrwsMTyxzCFoZsaN3tc/gVNn37qbOWrUGrhKO//Z h0nhhU9oGrbP0AXS30Ngd2AS8benjSk9whfJBd9FQJN/L7w9rM/tLTA/qIbijQ3a tp3Suea9AS+nmffve63nbavGz9n7p50nGLf/K5WzMpuCo0/g+Wp93DRtvXsAVNw8 3xPwZqHR+jVqmvitj14Yb8qwPAKzQAOaMuZdcFuOBUXS6dMpjyOABMDBPrqemJFz pFn+B+WYJEYeqFilffwwiHrUqDeKgMQ3KijVwCsQ0Oyhryd1DvmAnjEV8Bo6uJ2M ayr5eqdjM07xG4/rQ9swNRDwssF3HixcOoWud1Slj0aP1BitwsF8BBgBCgAmFiEE DG4bfoLthKxhXPelTefO3d9KwdgFAl5qRDUCGwwFCQPCZwAACgkQTefO3d9Kwdj7 dBAApM4SzZQ9LzwChe7mk5IRdvv3o+biZd2wdgMROf3utfr/qr1OF5Ltggv65wXW 4sZpdV1ThpuO1FeWPMYcFNX6JTe/yFB/3ES9LDwrPlyfg/GuCLOcFg/2otFdWCE5 sCY6xlBXc/9aq9WTTiiyXu8lsZCHmG0KKM+1TJ+Wd1i7JDYkDyx/6ttEl/9h+pah x8YnYaMw9Dxba8RX2aaclM0JIE1gO11YoZLYYLLv12EP4qtAMr4UQZH09EgbLcM0 UlsedHKeRkTOOqiS5libfz+3XRPz/FYGxLfg3lvFhzIvZ1ZQljWuITC2BhwFznl/ Jgua8J4AFk3Z/AcnR4noWcPEEldDZ079Id3azVipuKUUKJbrnUZuJIsbudh3U+58 nhR7cPRqxROLJX/pDERcvzZrm1MC/cLIFgfq/jWRfBjrTBOioGis7KduD6+lhHXW aw4gm//Ui+aoSgfJZuvZ8at+zUKaGy6gilE0oKPg4SuQcJYhiF/tPi3tUv3rtYdi 07TnZSmmbpZxxA5NriC32zcrydOpqchNI6VF868Y8h1xHTONaVzDkzIzhjasD4fb rxYUPD5P075A7FGFxbILw8GHZXdCvMaLQtGB34wm4QCyBnXWhbxtwHBuXJfQ8kmz jtr99aOSXTtL3ZuCpvsL2arKxI+FHAQl3vitlE6MYR5lxcHOwU0EXmpFAQEQAL0+ c7MMwBD5psN5KpafNTJzZFU0Piq9aSueUwfhMW8t82tDaT3lCLPwvB5Dx5O6d1wC 5vZQVBWQY/u0duNRSk3eyMXiRi+yLHHwaeFDckwphWecAIvhc3ShCOXiLI0j+Pr7 asQhqIf6UdGTm4dD56f7X5tbJeCMpzeSMx3r3uy70Ol1F774BBmEgFcyOEd0cqZD Jb56/s7tF8TDmkdO0dOf3/nRpUBMUASn9lKxsFgJk7b5NXVSMTAvNHZe3Ctgltq6 HkkSoQ8S/2pAa4Nd5cDC7O0XeDmPaQ8Z2nqzc0dUzG583j138vpZZzO6PumdGa5/ ns8f2uAtO84HXZNy/E9jwJS9itm32D6SZkI4cnGvuQA/mtnfG5X6ZN5OfWZKC+3j EMFwE9O60fSnGDYy7yq/vgQKTbMpY0DIcnqC7N/7Npci/kYs1T9JHYcokG+vm01I 4HSiLlPo5fSI7vkwmUJIkUPlPAp9g4I7dsZhu64mAFAcV6TWfh5Q3E0DV5snSyej HGQDMddgaRg9Awp1cB3mZrPlNBQVmm/2oRsCh2cwhdUstBGfxp2/7Wecyq8INq6v s+lJOvCa0Kkc6WAO3N1Uo8CND6S/Uaz7fdEJNyA9wF8Q0oOZAg6y8X6eznngM0UF 4U8sNHE5HEyRBxMEpsjQztgOa0Xx4BaUKZvvvym9ABEBAAHCwXwEGAEKACYCGyAW IQQMbht+gu2ErGFc96VN587d30rB2AUCZ8rvpQUJDSMRpAAKCRBN587d30rB2OHP D/0TcwgaIVJ6RcwOinRe9/dMq+jZ0oVwLfRBdLWPwFIQdLAY1gcJlXYo6w5m/3gr XjAcSOWqLIXddcn7Buvbt/bPn6lU1bODA6qn0RDLDxOfkOodHRijlcQzfSKyZj0e 75fvQRC0B3VLiBi+P2KTupp7ANnifWvPuhfIgKwThgxkDi4887NjAtkcb/X1Jvhj 6VzN3i0zFog3KFbqvDCWuzUYtPANp2fFPLM4dzAJRgN4V8+SLRAaJgHxUyVLac/r hQtorYhA3lDOC8U7S233L8Y0bjxoIRYIRlERXFSPUgGWFyvxkAsrHq43tbviFxKh X1PhA0TtoS8qG8Tyc+Zm+W2FvWj3zRdtem1rkjrTjXjWi4sNtPdrcOZVCRYevkpT IkOa/2r1In76x0UzQuVxE8RCrRYY2X0AVrGC7VKg7bchi72bexlUi/3kj/Joyuka kkDQ/n1Z9x1KonC6GxU7xeY6b6s0S0bC8PeGc7XpmoyHmT889St17ZenGBCaQwPn yTQyAMAod/XKeagrUPwASuz7/eYL4hZqLWeuRtxmUzJbsVkzRqs4SPcCCvRGW7nd 6z5j4tAM9EYXvpQBgDwIHJBbJoExNn2R2XuGELgMMW9cgzjSovtsFyKRsg5hOkbI 1m91vloyhKhCijTpWpknRDNWljE1MAzQvzzLzW9eTiVi6cLBfAQYAQoAJgIbIBYh BAxuG36C7YSsYVz3pU3nzt3fSsHYBQJj0ncoBQkJKpkmAAoJEE3nzt3fSsHYOUQP /23Up4MPDRjsqjawDuys0oyEhQbYDrr/iesdW7KgfAqK8X2tMDHTKkVMBQotmf2L fKmrzXj+4cac2T2Jox/YgRpGykc9Xmjhd4wMcgjX0BvHAhcxU7TRCC5/AjXDJ6qg k4kquc0E9fOw5LyWvh3WNJ8qH7Abcochkt0YFm/ObkF9UcYcA9UvCw8dIEJpBtxb mPCObPWPX8WljKonf+bm5geM8LQowMk1CPe6NYP+gbF8OWMCSAtrOqIJAMmrYCL8 1eaLfRnZkQpwW+uSrlDpbUJSNYIcVhBtOhmlkfexW1l9Z5wtFyL/sK2pdJ91R+P+ q9ehpsjMfPiCNR26HaZ0yiChZAGj6KPk8z6fgaUvhdrlk/39Jit5eCisSVrhCjl3 G9N2Gup1w7wq6/ARMdOdTf8t8OLrewHGULCqxOqf9qfgXeGVRRoy+vXujQzSkf7H 2HOaf5+Djjgzs+NgE7QK2OUnpmoO2zIuPMewTHmwC3CtYz9Ne2Cb5CAQcd7CUsnT 1RgHs91PsewsERv/Z5eLzt2QCF+jEVklodpmbrmpQF2ciO7bSB3zGF79dY33TBiv 7+nC0NHZz7PWcyOmJI7cl6y4XbsbenuVKzPpoNYYDiNBqno3W6p0iJwfqDlKdXAv PNEAym8cszOWkln5miwkcA4+JC6+d1UN1ucJbb3TvkSiwsF8BBgBCgAmFiEEDG4b foLthKxhXPelTefO3d9KwdgFAl5qRQECGyAFCQPCZwAACgkQTefO3d9Kwdh7NA// TIcHIfkupDUMwDVeT+4zer8F5pxuyXt7Rl2EVoRVyw6CoZDIcq0r7nKKrgGWoslu SCGJ8xfgJM0F69L/wY4YHw2YU9AjmoDiO5BLpjMrxcLTw09LECpcgiaIPBHssoHy gtLHkljaTCn7h07eeBqPnlnYu3xD9m1jZcPd4paPspebto7rrvH37jnxrh+wkoj/ zAKL4NDr5rsE1ndKlBwV6qsaxLKQ4eApkag53bjx+obzmUaXIA2MJ8ba4RUS4eHZ 9o+vLO4PEUBCpKcoL7J3zUIje2r4yyWanR5T1TJ4UPHTOzXh22AFOinTRMJmRDdD C812+97o2X0n+Jc8JAI4RdVhZ9CwOx18FrzpVYpivd339WgYP+WsGNV8r6Oc0Qey d51ATVRKYfGgTBEl9I3R/Cwnlaw8fasJHvjGQoUn4YxA3RsXDe1qguLEl2stY1Gn AKVFBuz8od3+fwEsv9wB1Yd4AT04+DC/4lvhVny7Ko2m0m8gexI1HkOGoDr954QS orhWH9qHrcwB+n6sXKa/8qWzgy/ceQttCVOhNjt352CGDYRWwEsV0sUr+fP+HEgF A+KPTdThK7pSdeP9KH7mw6q3cRsOEpjy5s4GdVPmiT5tskCWCF5tm45TNc8zFARh OtSQ1NADfGnGa9GhfhnEU0RDbe7hHIwIZlBuQ7rB9d8= =LKrI -----END PGP PUBLIC KEY BLOCK-----
2.9 Team Members
No public information about team members is disclosed.
2.10 Points of Customer Contact
The preferred method for contacting the security team is via e-mail at <security@contact-software.com>. If it is not possible (or not advisable for security reasons) to use e-mail, the security team can be reached by telephone during regular office hours. The security teams' hours of operation are generally restricted to regular business hours (09:00am – 05:00pm, Monday to Friday except holidays).
3 Charter
3.1 Mission Statement
The purpose of the security team is, first, to help improve the security of the products made by CONTACT Software GmbH, and second to assist customers and partners in responding to incidents or vulnerabilities related to CONTACT Software GmbH products.
3.2 Constituency
The security team provides its services to the following groups. The amount of services varies by group and may be subject to support contracts.
- Employees (especially development and support related) at CONTACT Software
- Customers using CONTACT Software products
- Partners of CONTACT Software
Topics relating to general operations, the web site or other security related topics relating to CONTACT Software GmbH may be handled on case by case judgement. Usually those will be forwarded to the responsible persons and not handled by the security team itself.
3.3 Sponsorship and/or Affiliation
The security team is affiliated to the software development (SD) department of CONTACT Software GmbH.
3.4 Authority
The security team has authority over the software development and release process at CONTACT Software GmbH.
It has NO authority over the deployed systems at customer sites and can only act in advising mode for those. It has also NO authority over the products based on CONTACT Software GmbH products but distributed and marketed by partners. It also has NO direct authority over the website or most other operational services used by CONTACT Software GmbH.
4 Policies
4.1 Types of Incidents and Level of Support
The focus of the security team on the product part instead of the operation of a deployed system reflects in the types of incidents handled and the support provided.
The security team will provide support for the following incidents and topics. The amount of support varies by topic and involved parties and may be subject to support contracts.
- Handle reporting of vulnerabilities in CONTACT Software GmbH products
- Handle the disclosure process for vulnerabilities and patches
- Provide consulting support for teams inside CONTACT Software GmbH
- Provide tools and documentation about security topics
- Provide advice or assistance to customers CSIRT teams when resolving incidents related or involving CONTACT Software GmbH products
- Provide limited consulting support for customers regarding secure deployment or operations practices of CONTACT Software GmbH products
- Provide consulting support for partners for security topics related to CONTACT Software GmbH products
4.2 Co-operation, Interaction and Disclosure of Information
CONTACT Software GmbH Security Team regards cooperation and information sharing with other CERT/CSIRTs. Information is only passed depending on its classification and need-to-know basis unless we are required to by law. CONTACT Software GmbH Security Team supports responsible disclosure methodology (see OWASP Vulnerability Disclosure Cheat Sheet) with a usual timeframe of 30 days for security patches which might be extended to 90 days if needed.
4.3 Communication and Authentication
When using email communication via the security@contact-software.com mailing address, the messages will be signed with the security teams pgp key as listed in section 2.8. The current key may be retrieved from the keyservers at https://keys.openpgp.org/. All sensitive communication to CONTACT Software GmbH Security Team should be encrypted with our public PGP key. Senders should sign their messages if possible.
5 Services
5.1 Incident Response
All incidents related to **products** of CONTACT Software GmbH will be evaluated. Incidents related to CONTACT Software GmbH services/other topics will be forwarded to the responsible business units. Senders are encouraged to use typical points of contact (if known) for those interactions as CONTACT Software Security Team is only a fallback for operational concerns. If necessary in-depth analysis is provided by technical experts.
5.1.1 Incident Triage
- Incoming incident reports are evaluated, priorized and compared to ongoing incidents.
- Incidents are:
– checked whether they are comprehensible using given information
– classified with a severity and scope
5.1.2 Incident Coordination
- Incident related information objects (e.g. logfiles, ...) will be classified with respect to information disclosure policy.
- All other involved internal and external parties will be notified on a need-to-know basis respecting our information disclosure policy unless we are required to by law.
5.1.3 Incident Resolution
- The cause of the incident will be determined and its effects will be mitigated.
- Possibly analysis of compromised systems.
5.2 Proactive Activities
- Security Trainings for CONTACT Employees
- Security Reviews in the secure (product) development lifecycle (SDL)
- Secure Deployment Guides / Best practise guides
- Development of security configuration tools
- Introduction of new security requirements into product roadmap
- Publication of Security Advisories
- In-House Penetration testing & investigation of penetration testing results of customers
- Continuous Integration / Continuous Deployment with static code analysis
- Post-Mortem analysis to learn from the past
6 Incident Reporting Forms
No special incident reporting form is necessary. Please use the email address listed in section 2.7. Please include the following information with your reports.
- Contact Details
- name of person
- name and address of organization
- email address, telephone number, pgp key information if available
- Short summary of the incident
- Systems affected:
– Product Names and Versions involved
– Additional information
– Details of observations that led to discovery (i.e. logfiles, screenshots, etc.)
If possible please sign your message with your PGP private key, to establish a secure communications channel.
7 Disclaimers
While every precaution will be taken in the preparation of information, notifications and alerts, CONTACT Software GmbH assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.