Innova Software Processing Plant Development (1)

Responsible disclosure

On this page, security researchers who aim to identify security vulnerabilities can find the necessary information to disclose vulnerabilities to Marel. Please adhere to the rules listed on this page for Responsible Disclosure.

It will take time to handle each stage of the process with the appropriate attention. However, Marel will inform you when progress is made during the significant phases of our responsible disclosure process.

Jump to:

Introduction
Rules for Issuing a Report
Guidance for submission
Phases of our process
Acknowledgement
PGP

Introduction

Marel follows a responsible disclosure process to manage the discovery and reporting of security vulnerabilities in its software and systems in a controlled and coordinated manner. This process enables you to disclose vulnerabilities that you have discovered in a safe and ethical manner. By doing so, you allow Marel to address the reported vulnerabilities before they are exploited by malicious actors. Responsible disclosure helps to improve the overall security of Marel and protect its business partners, employees and other stakeholders from potential harm. Finally, the responsible disclosure process aims to build trust between security researchers and Marel to raise a positive and productive relationship between them.

Rules for Issuing a Report

Do’s

Please report on:

Vulnerabilities found in public facing Marel websites.
Vulnerabilities found in Marel products, including Software.
Please encrypt sensitive information by use of our PGP-key (provided below).

Don’ts

Collect data beyond the need of proof-of-concept.
Collect and store Personal Data: Definitions - General Data Protection Regulation (GDPR) and Special Categories of Personal Data Art. 9 GDPR – Processing of special categories of personal data - General Data Protection Regulation (GDPR)
Utilize social engineering or brute force attacks.
Leave behind a backdoor in our systems.

Please do not report

Security threats that are not vulnerability related: such as DDOS attacks.
Security issues resulting from social engineering or phishing.

Guidance for submission

Only disclose found vulnerabilities by mailing to responsibledisclosure@marel.com and encrypting the required information with our PGP key (found below).
Include your contact information: name/handle and contact details for follow-up-communications.
Include a technical explanation of the found vulnerability including parameters such as the used OS, used infrastructure, related versions, and any other relevant information. For web-based vulnerabilities please include the URLs, browser details, and any other relevant information.
If available, include your proof-of-concept, and other details or configurations used to identify the vulnerability.
Include, if available, the threats you have identified and whether you have seen the vulnerability being exploited in the wild, ensure that these details are PGP-encrypted as well.
If a vulnerability tracking number (CVE) is available, or if you are in the process of requesting one, please include it.

Download PGP Key (txt)

What are the phases of our process?

The Marel Security Team will inform you of the process during the following stages:

Receiving the report
Acknowledgement of receiving your report
Assigning you a point-of-contact (member of the Marel Security Team)
Investigating the vulnerability report
Implementing a Patch/Fix for the vulnerability
Update the reporter of the vulnerability
Accreditation in Hall of Honors
Closure of the responsible disclosure process

Acknowledgement

In recognition of services provided, Marel expresses its gratitude to the following researchers for helping us to improve unity, promote excellence, and secure innovation within our organization. The following individuals were the first to have assisted us in acknowledging or addressing a vulnerability. By doing so, they have demonstrated skill in and a commitment to both helping others and improving security.

Researchers who submit vulnerability reports or conduct testing will be given full credit in any publicly released patch or security fix information if they request it and when it is possible for Marel to do so.

Hall of Honors

Pankaj Lakshkar (LinkedIn)
Bharath Kalyan
Prathamesh Vilayatkar (LinkedIn)
Harsh Maheta
Nilesh Sanap
Vijay Sutar
Kartik Garg
Parth Narula
Shivam Dhingra
Vaibhav Jain

PGP

We use PGP (Pretty Good Privacy) to communicate with you for responsibly disclosing vulnerabilities. This provides several benefits like confidentiality, authentication, and non-repudiation.

For that reason, Marel has generated a private and public key-pair (below) for which we ask every user that wants to responsibly submit a security vulnerability to encrypt his findings and send it to responsibledisclosure@marel.com.

Kind regards,

Marel Security Team