Responsible Disclosure Policy
At KUNBUS GmbH, we place great importance on the security of our systems and data. We recognize that security vulnerabilities can occur and appreciate the support of security experts and researchers who help us identify and address them. This Responsible Disclosure Policy outlines how you can responsibly report security vulnerabilities and what you can expect from us.
1. Scope
This policy applies to all products and services provided by KUNBUS GmbH, including Revolution Pi product family.
2. Reporting Process
If you have discovered a security vulnerability, please report it as follows:
- Send an email to psirt@kunbus.com with a detailed description of the vulnerability.
- Use the following GPG Key to encrypt your message and keep the information confidential: https://psirt.kunbus.com/.well-known/csaf/openpgp/B484B6F71F2CD32BCCDF7C04C0027DE5D2D76A5F.asc
Fingerprint: B484B6F71F2CD32BCCDF7C04C0027DE5D2D76A5F - Include all relevant information, including steps to reproduce the vulnerability, screenshots, and/or code snippets.
- Provide your contact information so we can reach you with any questions.
Coordinators and CNA
We kindly ask you to use CERT@VDE or CISA ICS as coordinators and CNAs if you like to involve a coordinator or request the CVE yourself.
3. Code of Conduct
To ensure your report is responsibly submitted, please adhere to the following rules:
- Do not access data that does not belong to you.
- Avoid any actions that could affect the availability of our systems (e.g., Denial-of-Service attacks).
- Do not share information about the vulnerability with third parties until we have resolved it.
4. Our Commitments
We commit to handling your report as follows:
- We will acknowledge receipt of your report within 5 business days.
- Providing an estimated timeline for addressing the vulnerability within 10 business days.
- We will investigate the vulnerability and keep you informed about the progress and planned actions.
- We will strive to resolve the vulnerability as quickly as possible and will inform you of the solution.
- Credit you for the discovery if you wish, once the vulnerability is resolved.
5. Security Advisories
KUNBUS GmbH publishes security Advisories on its website under https://www.kunbus.com/en/security-advisories. Furthermore, KUNBUS runs a CSAF trusted provider under https://psirt.kunbus.com/.well-known/csaf/ that also provides Rolie Feeds in JSON format.
We use CSAF v2.0 as advisory format and consequently CVSS v3.1 and TLPv1. We plan to switch to CSAF v2.1 in the future.
Sharing Rules
KUNBUS Security Advisories generally have a TLPv1 Label. We kindly ask you to adhere to the TLP sharing rules. In short that means: TLP:WHITE can be shared freely. TLP:GREEN can be shared within your community. TLP:AMBER shall only be shared within your organization or with clients to prevent further harm on a need to know basis.
Aggregated Severity
| Aggrated Severity | CVSS v3.1 |
| Critical | 9.0 – 10.0 |
| High | 7.0 – 8.9 |
| Medium | 4.0 – 6.9 |
| Low | 0.0 – 3.9 |
6. Legal Notices
We acknowledge and appreciate your efforts to responsibly disclose security vulnerabilities. As long as your actions are in good faith and comply with this policy, KUNBUS GmbH will not pursue legal action against you. We also request that you do not disclose, share, or publicize any potential or unresolved vulnerabilities with third parties, as long as they are not closed.
7. Regular Updates
We review and update this policy at least annually, as well as after significant changes or security incidents.
8. Contact
For any questions or further information, please contact us at psirt@kunbus.com.
Last reviewed: 2025-06-12