This document contains a public description of the contact information, charter, policies, and services of CERT@VDE (the “Computer Energency Response Team” at VDE Association for Electrical, Electronic & Information Technologies) according to RFC 2350 (Expectations for Computer Security Incident Response, https://www.ietf.org/rfc/rfc2350.txt). This Best Current Practice track document has become the de facto standard in the CERT community to list the important facts about a CERT and describe the services and operating procedures that can be expected of it.
This is version 0.9, published 2018-03-13.
Update notifications are provided via RSS.
The current version of this CSIRT description document is available from the CERT@VDE WWW site; its URL is https://cert.vde.com/en-us/contact/rfc2350/. Please make sure you are using the latest version.
This document is delivered vis HTTPS. Please make sure that the website certificate was issued for “cert.vde.com” by “Let's Encrypt Authority X3”, and that it is displayed as valid by your browser.
VDE Verband der Elektrotechnik Elektronik Informationstechnik e.V.
60596 Frankfurt am Main
Europe/Berlin (GMT+0100, and GMT+0200 from last Sunday in March to last Sunday in October)
This is a team address that reaches the person(s) on duty for CERT@VDE.
PGP Key: 4096R/C3E3E8AD
PGP Fingerprint: F5F7 FFB6 32D9 EAC7 1E74 F344 0CF5 E79A C3E3 E8AD
Only employees of VDE Association for Electrical, Electronic & Information Technologies work for CERT@VDE. Their names are listed in the Trusted Introducer Directory (for TI accredited teams only).
The CERT@VDE's hours of operation are generally restricted to regular business hours: Monday to Thursday, 09:00-16:00 CET, and Friday, 09:00-15:00 CET.
CERT@VDE does not operate during days the VDE Headquarters remain closed for business (December 24th and December 31st, all public holidays in the State of Hesse, Germany, and the following dates in 2018: April 30th, May 11th, June 1st, December 27th and December 28th).
CERT@VDE assists SMEs in the industrial automation sector with the handling of vulnerabilities and product security incidents, enabling cross-organizational collaboration.
CERT@VDE addresses manufacturers, users, operators and integrators in the automation industry, with a focus on small and medium-sized enterprises. The services of CERT@VDE are oriented towards the needs of product security teams within our constituency.
CERT@VDE is responsible for the IPv4 addresses in the network 220.127.116.11/27, as well as for all domains that resolve to these addresses (currently, only cert.vde.com is in use).
CERT@VDE is a member of the German CERT alliance “Deutscher CERT-Verbund” (https://www.cert-verbund.de) and is an accredited member of Trusted Introducer (https://www.trusted-introducer.org). CERT@VDE will maintain cooperations with ICS-CERT (https://ics-cert.us-cert.gov), ENISA, BSI (German Federal Office for Information Security), and other organisations, according to the wishes of the constituency.
CERT@VDE's operation is based on voluntary cooperation of its supporters. It does not have formal authority to speak for its supporters or any other organisation, except as explicitly or implicitly authorised (e.g. to work with ICS-CERT on advisories without the need to confirm their content with the affected vendor). It has the mandate to process incoming vulnerability reports affecting its supporters, to publish advisories for their products in a coordinated disclosure process, to assign CVE IDs to vulnerabilities covered in those advisories, and to create entries in the NVD for these CVE IDs.
CERT@VDE assists the target group with coping with safety gaps by structured information exchange and status analysis. On this purpose CERT@VDE accepts reports of IT-Security-Incidents and examines, evaluates and records them to coordinate and support the target group´s processing of IT-Security-Incidents.
CERT@VDE will run a warning- and information system for IT-Security vulnerabilities and actual threats, to pass on product security information effectively from the target group to third parties, as well as from third parties to the target group. This enables the target group to take preventive actions for an emergency. CERT@VDE also assists with creating and developing IT-Security-Standards and Best Practices.
CERT@VDE is authorised to process vulnerability reports for products of its supporters. It is not authorised to handle security incidents within their organisations, but it will forward all incident reports to the proper contact persons. If you are not willing to share certain (or all) contact details, you can also report anonymously or pseudonymously. If you ask CERT@VDE to keep your contact information private, we will honour that request. Otherwise, for a proper and complete registration of vulnerabilities, we ask you to please include the following data:
Your classification of the reported vulnerability:
Information about the reported vulnerability:
Information about our disclosure policy (which is in German) will be added at a later date.
In view of the types of information that CERT@VDE will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission.
[Sections 5 and 6 of RFC 2350 will be left out, as CERT@VDE currently does not handle incidents within our constituency.]
While every precaution will be taken in the preparation of information, notifications and alerts, CERT@VDE assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.