bn-its Policy on the Responsible Disclosure of Security Vulnerabilities

The security of our products and services is a top priority for bn-its. Despite careful development and regular testing, security vulnerabilities can never be completely ruled out. We therefore welcome feedback from the security community and work closely with external researchers, partners, and customers to quickly identify and address potential vulnerabilities.

If you discover a security vulnerability in a bn-its product or service, we ask that you report it to us responsibly. Our team carefully reviews all reports and coordinates the next steps with the relevant development teams. This includes analyzing the reported vulnerability, planning appropriate countermeasures, and maintaining transparent communication with the reporter throughout the entire process.

Scope

This policy applies to all products and services sold under the bn-its brand. For more information on individual products, their features, and the respective CE declarations of conformity, please refer to the product-specific manuals and documentation on our website.

Unfortunately, we are unable to process inquiries regarding products or systems that are not developed or distributed by bn-its. In such cases, we recommend contacting the respective manufacturer directly.

Report security vulnerabilities

Please send your message to: vulnerability@bn-its.de

Reports may also be submitted anonymously upon request. To ensure prompt processing, please provide the following information, if available:

• Affected product or service
• Description of the vulnerability and potential impact
• Steps to reproduce the issue
• Tools used, test environment, or evidence (screenshots, logs), if applicable

Any individual or organization can report potential security vulnerabilities—regardless of whether a service contract is in place or whether the affected product is currently in its active lifecycle. We welcome reports from independent security researchers, customers and partners, industry organizations, CERTs, and other responsible sources.

Collaboration and Communication

Once we receive a report, we strive to process it quickly and communicate transparently. bn-its and the development teams involved will do their utmost to:

• confirm receipt of the report within two business days,
• analyze and assess the reported vulnerability,
• provide an estimated timeline for potential corrective actions,
• notify the reporter as soon as a fix or solution has been implemented.

It may take up to two business days to acknowledge receipt of your submission. This does not include weekends or public holidays in the state of Bavaria. While your submission is being processed, we will keep you regularly updated on its progress, provided that new relevant information becomes available.

 

Coordinated Vulnerability Disclosure

bn-its supports the principle of coordinated disclosure. We therefore ask that you treat any vulnerabilities you discover as confidential until a suitable solution has been provided or until 120 days have passed since the initial report—whichever comes first. As a small team, we need this time to carefully analyze reported vulnerabilities, develop countermeasures, and implement them in our products.

Public disclosure before this period expires may pose unnecessary risks to our customers and systems. If a reporter intends to disclose a vulnerability after the 120-day period has expired, we ask that they coordinate with our team in advance.

For confirmed vulnerabilities of significant relevance, we coordinate the assignment of a CVE identifier through the Federal Office for Information Security (BSI), which serves as the designated CVE Numbering Authority (CNA), and publish a corresponding security advisory as needed. We report serious vulnerabilities and security-related incidents to the BSI in accordance with the requirements of the Cyber Resilience Act (CRA), and the BSI forwards this information to ENISA.

Expectations for Reporters

To ensure that security vulnerabilities are handled responsibly, we ask those who report them to:

• not to disclose the reported vulnerability publicly or share it with third parties until it has been resolved or the 120-day period has expired,
• not to take any actions that could result in damage to systems, data, or services,
• to respect the privacy and security of our customers at all times,
• not to engage in any activities that violate applicable law.

bn-its will not take legal action against individuals who report security vulnerabilities in good faith, provided they adhere to the principles of this policy and act responsibly.

We greatly appreciate the dedication of security researchers and whistleblowers. Their support helps us continuously improve the security of our systems and protect our customers as best as possible.

Thank you for helping to ensure the safety of our products and the online community.

bn-its Team