Please use this page to report potential security vulnerabilities in products and software. Further information on the disclosure of security vulnerabilities can be found in the following guidelines.
Policy on the disclosure of security vulnerabilities
Zumtobel is a provider of integrated lighting solutions for professional indoor and outdoor luminaires, offering a comprehensive range of high-quality luminaires, lighting control systems and multi-purpose sensors for various professional lighting applications. As a manufacturer of technologically advanced control systems and software, safety and security is also a core value for Zumtobel. That is why Zumtobel is committed to ensuring the security of users of Zumtobel products and software by safeguarding their privacy and data.
Zumtobel appreciates the contributions of external security researchers who act in good faith to help Zumtobel maintain a high standard of data protection for our users and systems, this policy aims to offer security researchers clear instructions on conducting vulnerability disclosure activities and to explain our preferences on how to report vulnerabilities to us.
We strongly encourage you to contact us to report potential security vulnerabilities in products and software.
Zumtobel will work with you in good faith to understand and resolve any issue, provided you adhere to this policy during your security research.
For the purposes of this policy, “research” means activities where you:
Please notify us as soon as possible if you have discovered an actual or potential security issue;
Make every effort not to breach privacy, impair the user experience, disrupt production systems, and destroy or manipulate data.
Only use exploits to the extent necessary to confirm the presence of a vulnerability; do not use an exploit to compromise or exfiltrate data to establish persistent command line access or to access other systems.
As soon as you have discovered a security vulnerability or have come across sensitive data (including personal information, financial information, confidential information or trade secrets of a party), you must immediately cease your activity and notify us promptly. You must not share this data with other individuals.
This policy applies to the following systems and services: Zumtobel products, associated firmware and product-related software.
Report a security vulnerability
Information provided under this policy will be used solely for defensive purposes – to mitigate or address vulnerabilities. Should your findings reveal vulnerabilities that affect all users of a product or service and not just Zumtobel, we may forward your report with anonymised information to affected parties such as suppliers, partners, dealers and customers without your explicit permission.
We accept vulnerability reports by email to product-security(at)zumtobelgroup.com. Requests that do not pertain to vulnerabilities in our products, firmware or product-related software will not be processed.
Reports can be submitted anonymously.
How to report a vulnerability
To help us review and prioritise reports, we recommend that your report:
Is created in English where possible;
Contains a description of the problem;
Mentions the article number of the relevant product;
Indicates the manufacturing date of the product (if applicable);
Specifies the software version (if applicable);
Describes the location where the vulnerability or security issue was discovered, as well as the potential impacts of exploitation;
Includes a detailed description of the steps required to reproduce the security vulnerability (proof-of-concept scripts or screenshots are helpful);
States what you expect from us (e.g. response times);
Includes your contact details, so that we can commit to communicating with you as openly and quickly as possible.
We will confirm that we have received your message within 5 working days, excluding Saturdays.
Once you have submitted a report to us, we will provide you with a status update every 20 calendar days until the security issues reported have been resolved.