Introduction
SEP GmbH takes security seriously. We are committed to ensuring that users can effectively secure their SEP sesam backup and recovery software infrastructure. To achieve this, SEP GmbH employees in support, development, and quality assurance departments collaborate closely to promptly identify and address security vulnerabilities in SEP sesam, and to continually improve its overall security.make every possible effort to ensure that users can adequately secure their SEP sesam backup and recovery software infrastructure. To this end, SEP GmbH employees in the areas of support, development and quality assurance work closely together to promptly identify and fix security vulnerabilities in SEP sesam and to improve the security of SEP sesam in general.
This policy is intended to provide clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. It describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities in our software systems.
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and SEP GmbH will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Guidelines
Under this policy, “research” means activities in which you:
Notify us as soon as possible after you discover a real or potential security issue.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
Do not submit a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Test methods
The following test methods are not authorized:
Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
Scope
This policy applies to the ”SEP sesam” Backup and recovery software for virtual and physical environments.
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at vulnerabilities(at)sep(dot)de before starting your research.
Non-Issues
We do not consider the following SEP sesam features to be vulnerabilities:
Using SEP sesam scripting interfaces https://wiki.sep.de/wiki/index.php/Using_Pre_and_Post_Scripts
Using SEP sesam commands and command events https://wiki.sep.de/wiki/index.php/Commands
Using SEP sesam Command Line Interface https://wiki.sep.de/wiki/index.php/SEP_sesam_CLI
Vulnerabilities that can only be exploited by users with root or administrator privileges will generally not be considered as vulnerabilities.
Bug bounties / Rewards
We do not offer bug bounties or rewards.
Reporting a vulnerability
You can send the vulnerability report to vulnerabilities(at)sep(dot)de. Please provide the following information in your email:
What type of vulnerability is it?
Who would be able to exploit the vulnerability and what would they gain from it?
What are the steps to reproduce the vulnerability?
Please include attachments, such as screenshots, scripts, or logs, that may assist us in reproducing and analyzing the vulnerability.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. We will not share your name or contact information without express permission.
What you can expect from SEP GmbH
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
We will acknowledge that your report has been received and within two weeks give you updates on the status of the vulnerability.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.
Questions
Questions regarding this policy may be sent to vulnerabilities(at)sep(dot)de. We also invite you to contact us with suggestions for improving this policy.