1 Document Information
1.1 Date of Last Update
February 2, 2023
1.2 Distribution List for Notifications
Advisories will be published as part of the ProductNews newsletter (firstname.lastname@example.org).
You may register for the newsletter here: https://www.contact-software.com/en/registration-product-newsletter/.
The published advisories can be found in our customer and partner portal Aloha.
1.3 Locations where this Document May Be Found
This document can be downloaded via HTTPS from the CONTACT Software GmbH homepage: https://www.contact-software.com/en/security
2 Contact information
2.1 Name of the Team
CONTACT Software Security Team
Physical deliveries can be addressed to:
CONTACT Software GmbH
Wiener Straße 1-3
2.3 Time Zone
The team operates in the timezone: Europe/Berlin Central European Time/Mitteleuropäische Zeit (CET/MEZ)
Usually accessible during typical business hours from Monday to Friday.
2.4 Telephone Number
The central office can be reached at: +49 421 20153-0
Ask to be put through to the security team.
2.5 Facsimile Number
Must not be used for security purposes, use email instead.
2.6 Other Telecommunication
None for security purposes.
2.7 Electronic Mail Address
2.8 Public Keys and Encryption Information
The current public PGP can be fetched from the keyserver at https://keys.openpgp.org/ with the email address as listed in 2.7.
It is also listed here:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF5qRDUBEADBuzwiJYmiGtWx40kCoGqz300q77P6Wq3pxOGfQpiWu86EYYy1 N1iSYcoi05oyTFdgX3D0cnY4IwG65Uh6sjeDokyXCxO/7uLA9dIjL4iSZl4ciVOj aEYShH/9xGBIbf87SLrzH6Ynj4LElHOujGwYNu7qCRnn1Rl/0+Xf5fL8dZWYMXX4 ibjVP+c38DqnNiif9h6QFap/Yg5WqDZI9SG5EwK9WqHWHYChCLgg3RZc6PXzfxEl idqGS8HQRwUVcEnt7MZ+R/zy8uBsfn+CvN2OftmrXN14AiAiFBvGG9KXoikgdpxI HB/4UE5o/WWpOmWEb4uZb2foPfPxfCVA8YsuEgx3JuBlX3RHJix/fTWfqCS2Cn+E qGZjjUK30NCLXCLhDYW56PJCX0ZMDuBupBYsicDcQq6P57Wv7wvb0cqip9kgjeOU VZaF1+uL8D37rP9X/3in6q7vjKL0A4n5jkdJo7+egfoRZ2lGPH3xvK7FRrJhVFuf /NCevLlxo+VtBksFKnvgkemLobKgakK8RpqA50sJwc1YdSlQjGu1+xuTN7AiYC6I NIUS7Tl2K5jlFmPB9ae3SIP7TLsJ6QqgbF1VUorIeNRbueVBTJIjpFCYvwcjukQ0 YiWfIxi5uLYgAFQHKF9O2sAFG5WanfeEwGAZCtqTzCF8B8uOl02RtCvZ2wARAQAB tG9Qcm9kdWN0IFNlY3VyaXR5IFRlYW0sIENPTlRBQ1QgU29mdHdhcmUgR21iSCAo c2VlIFJGQzIzNTAgRG9jdW1lbnQgb2YgdGhlIHRlYW0pIDxzZWN1cml0eUBjb250 YWN0LXNvZnR3YXJlLmNvbT6JAlQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwEC HgECF4AWIQQMbht+gu2ErGFc96VN587d30rB2AUCY9J2jQUJCSqZWAAKCRBN587d 30rB2IZND/9muMd8oR/TLiP+2n6rGy304tH/5aniXfNapuZ0xNXKHAxf+bzfMTke d1GV+AKbSkZxVeAQI2qDDPu5dXtg+lEXpYUFaYu1BnnGKjc1Y6LbuHJ3cC3444E2 aD3XpPA9fvcTnpNOvOR7TE02IIrkRJFZ63GIokWVMHGnT2Ng70SqFaQxk+A9KEzs 5Ef+ROLs97nHGMkAc7AY+f6elgxIF+rJs7NP3Zju7tVSZbpw9HrmRB/kvMzqy1P8 Xov4w6WLwrhD+3IizuT9B+08IKbEawXCRIVp25JvuTFyYruiKmQMuNnyiTgGYUlV Xhk3sfLZ7Az2BYpGlA871NK7y2xCPaIZbH8VzsqZt9MLpCE+Lq7I0LBFD2Gg1t5A ImgtSjakw4TV36QY2/1gafryGXLZlzH5QkHKj5wZecgpv+6VgyAwrBBVImXB+JAq c6Pf/1d0j9J2Lgyl3utWgRq2iJeFlNk1nAaNgxN70EfKBdv24cy6tJfu14YfDNtQ A4a/CFQMuUMupADZjgaHQXqxauvFELPx9VFcxCk9KLseh4AZE/KKYgPw7eqQzPn/ q2D+DQktl0rc5QiV/1+RiHEDGM+/U7p6IX1+OLNqhQIPMniaojX0m7VbEynlD4jm 9PsaPtyKVUJzI270npwY7dw7zY+AYzh0qNvPyilOIKdYnOAeybOC1LkCDQReakQ1 ARAAuTufWtkkDsHVpq6IQbjRu88V7lVzYQ3SZT+jI8JINhyOHY2tfiWAjt+aq1G/ xn+3gmg1fw9DtQRRwvf14C40/yku/8ZUu2ED4/vbE1oMVmgXte5qEQjTgZOk9ZIW HrT+Qo9SsvdFy3SrxqDU3/WdaZIzwg3VuuglHwtixH4mgva6G+J1OOzrLRmrrJVb aR9VPsXw/HHRdw10DLhWsZJ6ORiTbBIFT0FwTqMTO4w1/mmJt1bxpr4hJfhSdbRY 8ZoM1GCot6oTvGsO7COnfwfH0F9a1f52HIsgzg34dVkre5yZmUjajTvvhIRSTg+l I3U+fF3afVgE+VK2nHmda/o9A52OZ4z+FeCjCBUz0qPlniPKUcdOgJXLHgjG8L9/ hO9XIPWTwPW1y4lMizIIHzXvUVQT++BgCP+gnJPVmjBjXYkLbrwrDiH8yoNIyQP3 Og0fSk2o2wiZznmI2torf7N4RBq4nGm7jLVJMIK4s698J1BxGf5e11CkF02Q5kKw 8gywxManAs/6h8VUzDTmDKr4wc9ET9Tcot9fQao+QE2+7hSysIjlzk81b/JPEgQp +d7rT9udbkWY/xbAtm6VKrgpZNkauVaA6TzG1Di7D2vMO8I/nnYXfMYh/TuiFKy5 DA/jFUM4WrxRRlRVdw3Q//nm3Cupp10R0ZtBWUMIIE1uTckAEQEAAYkCPAQYAQoA JgIbDBYhBAxuG36C7YSsYVz3pU3nzt3fSsHYBQJj0ncnBQkJKpnyAAoJEE3nzt3f SsHYAI8QALRWI33OPIV0AiVH98iWKVlEFnYaeH25Nvm8ZrteGQSmkuVwwHaZyl28 KM0px+q6VVpvLiPf3iIBhRTxcysybrghiSJTAWFdDxyZVHEnJ0R6uq+bGpGoM/dO +ITX4jdGLkZCNS3sWKrsRSPrp8mV0Um8QAJQ53xYXojgRH+QaStsBIW+Y1FkdyH9 +yUfMdlp7i9Ofd8mPVn2W5SH78zcKBcoYOL8X5WTxS0/x5lkEaM6OK/1Dgvtr9Xp pnam4u5SzVciiUScgoh7D8exCyYq5Qn0N7+SPSIqABjTdhxGwztuqW/IYhv1TEhf n/BPpDUgplO8eD8M7FJdf6g9r2OOLrwsMTyxzCFoZsaN3tc/gVNn37qbOWrUGrhK O//Zh0nhhU9oGrbP0AXS30Ngd2AS8benjSk9whfJBd9FQJN/L7w9rM/tLTA/qIbi jQ3atp3Suea9AS+nmffve63nbavGz9n7p50nGLf/K5WzMpuCo0/g+Wp93DRtvXsA VNw83xPwZqHR+jVqmvitj14Yb8qwPAKzQAOaMuZdcFuOBUXS6dMpjyOABMDBPrqe mJFzpFn+B+WYJEYeqFilffwwiHrUqDeKgMQ3KijVwCsQ0Oyhryd1DvmAnjEV8Bo6 uJ2Mayr5eqdjM07xG4/rQ9swNRDwssF3HixcOoWud1Slj0aP1BituQINBF5qRQEB EAC9PnOzDMAQ+abDeSqWnzUyc2RVND4qvWkrnlMH4TFvLfNrQ2k95Qiz8LweQ8eT undcAub2UFQVkGP7tHbjUUpN3sjF4kYvsixx8GnhQ3JMKYVnnACL4XN0oQjl4iyN I/j6+2rEIaiH+lHRk5uHQ+en+1+bWyXgjKc3kjMd697su9DpdRe++AQZhIBXMjhH dHKmQyW+ev7O7RfEw5pHTtHTn9/50aVATFAEp/ZSsbBYCZO2+TV1UjEwLzR2Xtwr YJbauh5JEqEPEv9qQGuDXeXAwuztF3g5j2kPGdp6s3NHVMxufN49d/L6WWczuj7p nRmuf57PH9rgLTvOB12TcvxPY8CUvYrZt9g+kmZCOHJxr7kAP5rZ3xuV+mTeTn1m Sgvt4xDBcBPTutH0pxg2Mu8qv74ECk2zKWNAyHJ6guzf+zaXIv5GLNU/SR2HKJBv r5tNSOB0oi5T6OX0iO75MJlCSJFD5TwKfYOCO3bGYbuuJgBQHFek1n4eUNxNA1eb J0snoxxkAzHXYGkYPQMKdXAd5maz5TQUFZpv9qEbAodnMIXVLLQRn8adv+1nnMqv CDaur7PpSTrwmtCpHOlgDtzdVKPAjQ+kv1Gs+33RCTcgPcBfENKDmQIOsvF+ns55 4DNFBeFPLDRxORxMkQcTBKbI0M7YDmtF8eAWlCmb778pvQARAQABiQI8BBgBCgAm AhsgFiEEDG4bfoLthKxhXPelTefO3d9KwdgFAmPSdygFCQkqmSYACgkQTefO3d9K wdg5RA//bdSngw8NGOyqNrAO7KzSjISFBtgOuv+J6x1bsqB8Corxfa0wMdMqRUwF Ci2Z/Yt8qavNeP7hxpzZPYmjH9iBGkbKRz1eaOF3jAxyCNfQG8cCFzFTtNEILn8C NcMnqqCTiSq5zQT187DkvJa+HdY0nyofsBtyhyGS3RgWb85uQX1RxhwD1S8LDx0g QmkG3FuY8I5s9Y9fxaWMqid/5ubmB4zwtCjAyTUI97o1g/6BsXw5YwJIC2s6ogkA yatgIvzV5ot9GdmRCnBb65KuUOltQlI1ghxWEG06GaWR97FbWX1nnC0XIv+wral0 n3VH4/6r16GmyMx8+II1HbodpnTKIKFkAaPoo+TzPp+BpS+F2uWT/f0mK3l4KKxJ WuEKOXcb03Ya6nXDvCrr8BEx051N/y3w4ut7AcZQsKrE6p/2p+Bd4ZVFGjL69e6N DNKR/sfYc5p/n4OOODOz42ATtArY5Semag7bMi48x7BMebALcK1jP017YJvkIBBx 3sJSydPVGAez3U+x7CwRG/9nl4vO3ZAIX6MRWSWh2mZuualAXZyI7ttIHfMYXv11 jfdMGK/v6cLQ0dnPs9ZzI6YkjtyXrLhduxt6e5UrM+mg1hgOI0GqejdbqnSInB+o OUp1cC880QDKbxyzM5aSWfmaLCRwDj4kLr53VQ3W5wltvdO+RKI= =Y761 -----END PGP PUBLIC KEY BLOCK-----
2.9 Team Members
No public information about team members is disclosed.
2.10 Points of Customer Contact
The preferred method for contacting the security team is via e-mail at <email@example.com>. If it is not possible (or not advisable for security reasons) to use e-mail, the security team can be reached by telephone during regular office hours. The security teams' hours of operation are generally restricted to regular business hours (09:00am – 05:00pm, Monday to Friday except holidays).
3.1 Mission Statement
The purpose of the security team is, first, to help improve the security of the products made by CONTACT Software GmbH, and second to assist customers and partners in responding to incidents or vulnerabilities related to CONTACT Software GmbH products.
The security team provides its services to the following groups. The amount of services varies by group and may be subject to support contracts.
- Employees (especially development and support related) at CONTACT Software
- Customers using CONTACT Software products
- Partners of CONTACT Software
Topics relating to general operations, the web site or other security related topics relating to CONTACT Software GmbH may be handled on case by case judgement. Usually those will be forwarded to the responsible persons and not handled by the security team itself.
3.3 Sponsorship and/or Affiliation
The security team is affiliated to the software development (SD) department of CONTACT Software GmbH.
The security team has authority over the software development and release process at CONTACT Software GmbH.
It has NO authority over the deployed systems at customer sites and can only act in advising mode for those. It has also NO authority over the products based on CONTACT Software GmbH products but distributed and marketed by partners. It also has NO direct authority over the website or most other operational services used by CONTACT Software GmbH.
4.1 Types of Incidents and Level of Support
The focus of the security team on the product part instead of the operation of a deployed system reflects in the types of incidents handled and the support provided.
The security team will provide support for the following incidents and topics. The amount of support varies by topic and involved parties and may be subject to support contracts.
- Handle reporting of vulnerabilities in CONTACT Software GmbH products
- Handle the disclosure process for vulnerabilities and patches
- Provide consulting support for teams inside CONTACT Software GmbH
- Provide tools and documentation about security topics
- Provide advice or assistance to customers CSIRT teams when resolving incidents related or involving CONTACT Software GmbH products
- Provide limited consulting support for customers regarding secure deployment or operations practices of CONTACT Software GmbH products
- Provide consulting support for partners for security topics related to CONTACT Software GmbH products
4.2 Co-operation, Interaction and Disclosure of Information
CONTACT Software GmbH Security Team regards cooperation and information sharing with other CERT/CSIRTs. Information is only passed depending on its classification and need-to-know basis unless we are required to by law. CONTACT Software GmbH Security Team supports responsible disclosure methodology (see OWASP Vulnerability Disclosure Cheat Sheet) with a usual timeframe of 30 days for security patches which might be extended to 90 days if needed.
4.3 Communication and Authentication
When using email communication via the firstname.lastname@example.org mailing address, the messages will be signed with the security teams pgp key as listed in section 2.8. The current key may be retrieved from the keyservers at https://keys.openpgp.org/. All sensitive communication to CONTACT Software GmbH Security Team should be encrypted with our public PGP key. Senders should sign their messages if possible.
5.1 Incident Response
All incidents related to **products** of CONTACT Software GmbH will be evaluated. Incidents related to CONTACT Software GmbH services/other topics will be forwarded to the responsible business units. Senders are encouraged to use typical points of contact (if known) for those interactions as CONTACT Software Security Team is only a fallback for operational concerns. If necessary in-depth analysis is provided by technical experts.
5.1.1 Incident Triage
- Incoming incident reports are evaluated, priorized and compared to ongoing incidents.
- Incidents are:
– checked whether they are comprehensible using given information
– classified with a severity and scope
5.1.2 Incident Coordination
- Incident related information objects (e.g. logfiles, ...) will be classified with respect to information disclosure policy.
- All other involved internal and external parties will be notified on a need-to-know basis respecting our information disclosure policy unless we are required to by law.
5.1.3 Incident Resolution
- The cause of the incident will be determined and its effects will be mitigated.
- Possibly analysis of compromised systems.
5.2 Proactive Activities
- Security Trainings for CONTACT Employees
- Security Reviews in the secure (product) development lifecycle (SDL)
- Secure Deployment Guides / Best practise guides
- Development of security configuration tools
- Introduction of new security requirements into product roadmap
- Publication of Security Advisories
- In-House Penetration testing & investigation of penetration testing results of customers
- Continuous Integration / Continuous Deployment with static code analysis
- Post-Mortem analysis to learn from the past
6 Incident Reporting Forms
No special incident reporting form is necessary. Please use the email address listed in section 2.7. Please include the following information with your reports.
- Contact Details
- name of person
- name and address of organization
- email address, telephone number, pgp key information if available
- Short summary of the incident
- Systems affected:
– Product Names and Versions involved
– Additional information
– Details of observations that led to discovery (i.e. logfiles, screenshots, etc.)
If possible please sign your message with your PGP private key, to establish a secure communications channel.
While every precaution will be taken in the preparation of information, notifications and alerts, CONTACT Software GmbH assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.