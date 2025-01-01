1. Values and Principles

Cybersecurity (here short "security") is immensely important for Kärcher's IoT products and digital services. We pursue a security-by-design approach and are committed to keep the safety and security of our IoT products and digital services along their lifecycle. However, cybersecurity is a moving target and the security environment will evolve continuously. New insights, attack-capabilities, and vulnerabilities can be discovered any time. Although we design our products with security from the start, they never can reach a 100 % perfect security.

Kärcher is committed to continuously support and improve the state of security of its IoT products and digital services. Therefore Kärcher wants to closely work together with the security community. We welcome and encourage researchers, authorities, business partners, and other private and public actors to contact us about security-issues, vulnerabilities or possible exploits etc. in relation to our IoT products and digital services. We regard each relevant security-information that will be provided by a third party as a valuable piece of our cybersecurity architecture.

2. Conditions of Reporting and Disclosure

Kärcher will make communication with the security community as easy and accessible as possible. However, the following points are important so that we can respond to reports quickly and effectively:

2.1 General:

Reports can be send in English and German

No contracts or Non-Disclosure Agreements are required

Reports must refer to...

...a Kärcher IoT product that means the products bares the Kärcher logo and has some sort of connectivity (wifi, bluetooth, zigbee etc.) or

...a digital service provided by Kärcher over the internet

We encourage reporters to use encrypted email-communication.

Kärcher will not pursue legal claims or charges of any kind in relation to the reporting of findings, vulnerabilities, and exploits etc. giving the following circumstances:

...The reporter does not cause harm to Kärcher and/or its affiliates, customers, suppliers or partners

...The reporter does not compromise the privacy or safety of Kärcher and/or its affiliates, customers, suppliers or partners or the operation of Kärcher's services

...The reporter retains from publishing his/her findings until Kärcher has been able to provide a fix for it

...A reporters testing must not violate any law, or disrupt or compromise any data or confidential information that is not his/her own.

2.2 Required Content for a Report

Affected IoT product (preferable with type name or serial number) or digital service (identified by full domain name or URL)

Contact information of reporter for further communication (identifiable or anonymous)

Detailed description of effect, insight or vulnerability (if possible with logs, images, or other additional material to reproduce the finding)

Title or category of finding (if possible based on OWASP or CWE database)

If known: Impact, dependencies or other effects of finding

If known: CVSS3 score of finding or estimation of CVSS-like parameters (e.g. privileges required, user Interaction required, attack-tools availability etc.)

If known: Awareness of the finding, vulnerability, exploit etc.

Note: We will analyze each report-input. The more information we receive the better we can respond to the report. If we do not receive sufficient information, it may be the case that we have to set the report on hold or not follow it up.

2.3 Process of Disclosure