Information Security

Responsible Disclosure / Reporting Security Vulnerabilities

Information security is an essential part of our management system and is implemented in accordance with the requirements of TISAX (Trusted Information Security Assessment Exchange).

Despite extensive protective measures, security vulnerabilities cannot be completely ruled out. We therefore welcome reports from external parties regarding potential vulnerabilities, information security incidents, and physical security incidents, and we are committed to handling such reports in a structured and confidential manner.

 

Scope

This policy applies to all publicly accessible systems, applications, and services, as well as to the physical locations and facilities of the Wallstabe & Schneider Group.

 

Reporting Security Incidents and Vulnerabilities

Please report any identified or suspected:

  • IT security vulnerabilities or cyberattacks
  • Unauthorized access to systems or data
  • Suspicious activities indicating an information security incident
  • Physical security incidents (e.g., unauthorized access, missing security measures, suspicious activities at company locations)

to:

isms@wallstabe-schneider.de

 

To ensure efficient processing, please include the following information where possible:

  • Detailed description of the vulnerability or incident
  • Time and date of discovery
  • Affected systems, applications, locations, or areas
  • Steps to reproduce the issue, if applicable
  • Optional: Contact details for follow-up questions

 

Secure Communication

If you need to transmit confidential or sensitive information, we recommend using appropriate security measures (e.g., encrypted email). Upon request, we can provide suitable methods for secure communication.

 

Handling and Response Times

  • Incoming reports are documented and assessed in accordance with our ISMS
  • We generally acknowledge receipt of your report within 5 business days
  • If contact details are provided, we will keep you informed of the progress to an appropriate extent

 

Responsible Behaviour

We expect that you will:

  • Not modify, delete, or exfiltrate data without authorization
  • Not actively exploit systems beyond what is necessary to demonstrate the issue
  • Not perform automated or resource-intensive testing without prior coordination
  • Not bypass or test physical security mechanisms (e.g., access control systems)
  • Maintain confidentiality regarding the discovered vulnerability

 

Disclosure of Information

Public disclosure of vulnerabilities may only take place after coordination with us and after the vulnerability has been remediated.

 

Legal Framework

If you act in good faith and comply with this policy, we will refrain from taking legal action against you. This does not apply to unlawful activities, particularly those involving malicious intent or violations of applicable law.

 

Documentation and Tracking

All reports are recorded, assessed, and tracked within the framework of our Information Security Management System (ISMS). This includes in particular:

  • Classification of the incident (including physical security incidents)
  • Assessment of risks and impacts
  • Initiation and tracking of corrective measures

 

We thank you for your support in continuously improving our information security.