Security Policy
Reporting a Vulnerability
BAUER GROUP takes the security of our products seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Preferred Method: GitHub Security Advisory
For each affected repository, use Security → Advisories → New Draft Advisory to report the vulnerability confidentially.
Email
Email: disclosure@cra.docs.bauer-group.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Affected product(s) and version(s)
- Impact assessment (if possible)
- Your contact information
What to Expect
| Milestone | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial Assessment | Within 7 days |
| Status Update | At least every 14 days |
| Coordinated Disclosure | 90 days after report (default) |
Our Commitment
- We will not take legal action against researchers acting in good faith
- We will acknowledge your contribution (with your permission)
- We will coordinate the disclosure timeline with you
- We will provide regular status updates
Supported Versions
Please refer to the individual product documentation for supported versions and support periods.
Scope
This policy applies to all BAUER GROUP products with digital elements, including:
- Software products (web applications, APIs, libraries)
- Container images
- Firmware (ESP32, STM32, Zephyr)
- Published packages (NuGet, NPM)
Out of Scope
- Social engineering attacks
- Denial of service attacks
- Physical attacks against infrastructure
- Vulnerabilities in third-party products (report to the respective vendor)
Regulatory Framework
This security policy complies with:
- Cyber Resilience Act (EU) 2024/2847 – Art. 13 (6) & (8)
- ISO/IEC 29147:2018 – Vulnerability Disclosure
- ISO/IEC 30111:2019 – Vulnerability Handling Processes