Empowering buildings with high-quality DDC-Controllers, sensors, and automation technology

X
  • No products in the list

PSIRT – Cybersecurity at SE-Elektronic

Through our PSIRT, we respond to security risks quickly, in a structured and transparent manner.

Cybersecurity at SE-Elektronic - PSIRT

Cybersecurity is becoming increasingly important in the field of building automation. SE-Elektronic supports you in this area with a structured approach to handling security incidents through our Product Security Incident Response Team (PSIRT).

Our goal is to continuously ensure the security of our products and systems and to minimize potential risks at an early stage. As soon as new vulnerabilities or threats come to light, we promptly provide you with well-founded recommendations for action, security updates, and patches so that you can respond quickly and effectively.

Despite comprehensive testing processes, not all security vulnerabilities can be identified in advance. That is why we rely on the support of our users and partners: If you notice any irregularities, potential vulnerabilities, or security-related anomalies in our products or services, please report them to us through our designated reporting channel.

Together, we help ensure that building automation systems are operated safely and in a way that is future-proof.


Current Safety Information & Announcements

Here you will find all current security advisories and announcements published by our PSIRT.

PSIRT - Vulnerability Disclosure Policy

This policy serves as a guide for the responsible identification and reporting of vulnerabilities. It explains how to report potential security vulnerabilities to us in a structured manner and how we handle such reports together with you.

Here, you’ll learn how to report vulnerabilities to us, what information we need, and what the next steps are. Our goal is to work together to find solutions—before the information becomes public.

If you discover security vulnerabilities in our products, we strongly encourage you to report them to us confidentially first. Please give us the opportunity to analyze and resolve the issue before it is made public.

To report product vulnerabilities, please contact us at [email protected]—you may do so anonymously if you wish.

As a token of our appreciation, we are happy to acknowledge reported vulnerabilities and, upon request, mention them by name.

Here’s how to report a vulnerability.

PSIRT-Policy

Authorized Security Research

We welcome reports of potential vulnerabilities in our products and digital components. Anyone who conducts security research responsibly and adheres to the principles outlined in this policy is acting in our best interests.

If you proceed to the best of your knowledge, carefully, fairly, and without malicious intent, we will consider your investigation to be authorized security research. Our goal is to work with you to quickly understand and assess reported vulnerabilities and to take appropriate steps to address them.

Guidelines for Responsible Reporting

For the purposes of this policy, we define responsible security research to mean, in particular, that you:

  • Please notify us as soon as possible if you discover an actual or potential vulnerability,
  • conduct tests only to the extent necessary to verifiably confirm a vulnerability,
  • do not modify, delete, copy, or disclose any data without authorization,
  • not interfere with any systems, services, or users,
  • give us enough time to analyze the vulnerability and provide a solution before any information is made public,
  • refrain from using automated bulk notifications or reports that lack a sufficient technical basis.

We expressly ask that you not disclose any vulnerabilities you discover without prior consultation. Please give us the opportunity to carefully review the issue and implement appropriate protective measures.

You can find out the best way to report vulnerabilities here.

Legal Protection (Safe Harbor)

SE-Elektronic welcomes and supports responsible security research. We will not take legal action against individuals who report potential vulnerabilities in good faith and adhere to the principles outlined in this policy.

This is contingent upon security tests being conducted responsibly, no disruption to systems, data, or users occurring, and any vulnerabilities discovered being reported to us confidentially. Premature or uncoordinated public disclosure must be avoided.

We ask that you allow us sufficient time to analyze and address the reported vulnerability. In this context, we consider such activities to be authorized security research as defined in our Vulnerability Disclosure Policy.

Scope of Application

This policy applies to products, software, firmware, and digital components from SE-Elektronic, particularly in the context of building automation and control technology.

It covers all systems and solutions developed, operated, or managed by SE-Elektronic. The goal is to systematically record safety-related information and enable the efficient processing and assessment of potential vulnerabilities.

The scope of application includes, in particular:

  • DDC Controllers and Automation Stations
  • Firmware, embedded software, and product-specific applications
  • Digital interfaces, communication protocols, and network connections (e.g., BACnet-based systems)
  • Product-related tools, configuration software, and supporting components
  • Features and services directly related to our products

This policy does not apply to third-party systems, applications, or services that are not developed, operated, or managed by SE-Elektronic. This includes, in particular, external platforms, infrastructure components, or integrations outside our control.

If you are unsure whether your report falls under this policy, you can still contact us at any time. We will carefully review your inquiry and, if necessary, forward it to the appropriate department.

What You Can Expect From Us

If you report a vulnerability to us and provide your contact information, we will handle your report in a transparent, structured, and responsible manner.

You will receive an acknowledgment of receipt immediately, so you’ll know that we’ve received your report. An initial technical assessment will be conducted immediately after the initial review. We will then investigate the reported vulnerability together with the relevant departments, development teams, and—if necessary—partners.

Further disclosures will be coordinated and will depend on when a suitable solution, an update, or appropriate protective measures can be made available. Our goal is to responsibly address security vulnerabilities before information is made public.

Please note: We can only provide you with clear feedback on the status of your report if you include your contact information in your email.

You can find the latest reports here.

Publication and Recognition

If a reported vulnerability is confirmed, we carefully coordinate the next steps. We generally do not make the vulnerability public until a suitable solution, an update, or another protective measure is available, or until we have coordinated with the relevant parties.

Depending on the nature and severity of the vulnerability, the disclosure may take the form of a security advisory, for example. If necessary, we coordinate with the appropriate coordinating bodies or partners.

We value the contributions of responsible security researchers. Upon request, we will be happy to consider including a byline or acknowledgment in the publication.

How to Report Potential Vulnerabilities

Anyone can report potential security vulnerabilities to SE-Elektronic’s PSIRT—regardless of whether you are a customer, partner, or external security expert.

We strongly encourage you to responsibly share any vulnerabilities you discover with us. No non-disclosure agreement (NDA) or other contract is required for this collaboration. We are committed to handling all reports professionally, systematically, and in a spirit of partnership.

We particularly value our collaboration with the security community—including security researchers, universities, CERTs, business partners, and public institutions.

Since our solutions are also used in critical infrastructure, we ask that you coordinate the disclosure of security vulnerabilities with us. This allows us to ensure that appropriate measures to resolve the issue or minimize the risk can be implemented first.

Please send all emails regarding this matter to [email protected]

PGP Public Key
You can find the PGP key here: Download Public PGP Key.
PGP Fingerprint: 11F558390E6C13F4D951FA682D0ED4FB560A3277

PSIRT-Meldungen (1)

What information helps us

What information should be included?

To help us process your report quickly and efficiently, please provide the following information, if possible:

Affected Product
  • Product name
  • Version / Firmware / Build
  • Operating Environment
Description of the Vulnerability
  • Detailed description of the problem
  • Potential consequences (e.g., unauthorized access, data loss, system failure)
Steps for Reproduction
  • Step-by-Step Guide to Adjustment
  • Prerequisites (e.g., user permissions, configuration)
  • Expected Behavior vs. Actual Behavior
Evidence and technical details (if available)
  • Screenshots, videos, or logs
Information on Use and Disclosure

Please also let us know—if you have this information—the following:

  • Has the vulnerability already been actively exploited, or is it currently being exploited?
  • Has the vulnerability already been made public? (e.g., disclosure by third parties, forums, CVE entry, etc.)


This information helps us prioritize and assess risks.

Privacy Policy / Contact Information

Please provide only the personal information necessary to process the vulnerability report.

Please note that, for technical reasons, your sender email address is automatically transmitted when you contact us via email.

If you would like to receive a response—whether you have questions about the vulnerability or after the vulnerability has been resolved—please explicitly state:

“I consent to being contacted”

Here you'll find the latest reports

Our PSIRT coordinates the assessment, investigation, and communication of security vulnerabilities in our DDC controllers, automation solutions, and BACnet-based systems. Our goal is to ensure transparency and provide you with reliable, practical information on IT and OT security at all times.

Here, we publish security advisories regarding confirmed vulnerabilities, including possible countermeasures, updates, and recommendations for the secure operation of your systems. These are available for download as PDF or CSAF files for machine-readable formats.

If you have any questions, please feel free to contact [email protected].

CVE-ID Score Title Last Update Reported by Download PDF CSAF
CVE-2024-1015 9.8 Multiple vulnerabilities in Firmware V03.07.03 and later Vulnerabilities may allow arbitrary code execution or cause a Denial-of-Service (DoS) system outage 07 Jul 2026 Carlos Antonini from Spanish National Cybersecurity Institue, S.A (INCIBE) PDF CSAF
CVE-2024-1014 6.2 Multiple vulnerabilities in Firmware V03.07.03 and later Vulnerabilities may allow arbitrary code execution or cause a Denial-of-Service (DoS) system outage 07 Jul 2026 Carlos Antonini from Spanish National Cybersecurity Institue, S.A (INCIBE) PDF CSAF