1. Grundfos
  2. Legal
  3. Vulnerability Disclosure Po...

Introduction 

At Grundfos, we are committed to a high level of cybersecurity, and we greatly value the contributions of security researchers and the broader community in helping us maintain robust security standards. We strongly encourage reading this policy in full to ensure the appropriate handling of vulnerability reports. 

Purpose and scope 

The purpose of this policy is to set out a process for reporting of vulnerabilities to Grundfos in all systems branded by Grundfos and products, solutions and services offered under the Grundfos brand 

Out of Scope

The following are not covered by this policy: 

  • Vulnerabilities in products or services that have been licensed to or are managed by a third party. 
  • Issues related to non-system issues, such as social engineering/manipulation. 
  • Cybersecurity incidents or attacks, including Denial of Service (DoS) vulnerabilities. 

Process 

Reporting a Vulnerability 

If you believe you have discovered a security vulnerability, please report this vulnerability to Grundfos at ResponsibleDisclosure@grundfos.com.  

Please include the following information: 

  • A detailed description of the vulnerability. 
  • Steps to reproduce the issue. 
  • Any proof-of-concept code, if applicable. 
  • Potential impact of the vulnerability. 


When you report the vulnerability, please 

  • if you include screenshots, attach them in MS Word or PDF format rather than embedding them in the email body. 
  • ensure that the email subject line remains clear and unobfuscated. 
  • remember to include your public key so we can respond securely. 


Analysis

Upon receiving a report, Grundfos will begin investigating the potential vulnerability in accordance with our internal procedures. We will keep you updated throughout the process and may request additional information to reproduce the vulnerability. If confirmed, a risk assessment will be conducted to determine its severity and potential impacts. 

Handling

Should the vulnerability be validated, Grundfos will develop a remediation plan. The implementation of this plan will be prioritized based on the severity of the issue and the risk analysis conducted. 

Disclosure of a Vulnerability 

Once the vulnerability has been resolved through analysis and handling, Grundfos will disclose it to the relevant parties. We aim to balance transparency with the need to give our partners sufficient time to implement the necessary fixes. As such, the publication of advisories may be delayed to mitigate potential risks. Grundfos acknowledges all individuals, organizations, or companies that have voluntarily reported vulnerabilities and assisted us in improving our cybersecurity. 

The Process

  • We will acknowledge receipt of your report within 3-5 business days. 
  • An initial assessment will be provided within 10 business days. 
  • We will keep you informed on the progress with a weekly update. 
  • Our goal is to resolve critical issues within 90 days of the initial report. 
  • Grundfos will inform authorities and partners according to the legislation and agreements. 

Safe Harbor

Grundfos will not take legal action against parties who: 

  • Make a good faith effort to comply with this policy. 
  • Do not compromise the privacy of our users, employees, or customers. 
  • Do not disrupt our services. 
  • Do not destroy data or harm our systems. 

Public Disclosure 

We ask that you refrain from publicly disclosing the vulnerability until we have had the opportunity to address it. 

Rewards 

Although we do not currently offer a paid bug bounty program, we will publicly acknowledge parties who report valid vulnerabilities unless they request anonymity. 

Legal 

Throughout the vulnerability disclosure process, you are expected to: 

  • Adhere to all applicable laws and regulations. 
  • Avoid exploiting the vulnerability beyond what is necessary to demonstrate its existence. 
  • Refrain from disrupting Grundfos services. 
  • Avoid using high-intensity or invasive scanning tools. 
  • Take all reasonable measures to prevent negative impacts on the safety or privacy of individuals. 
  • Anonymize any sensitive data found or reported. 
  • Refrain from accessing, modifying, or deleting unnecessary, excessive, or sensitive data. 
  • Ensure secure deletion of any data retrieved as part of your vulnerability report once it is no longer required. 


This policy does not constitute a waiver of any rights or create obligations beyond those explicitly stated. Grundfos reserves the right to take legal action in cases of non-compliance.