Cybersecurity is becoming increasingly important in the field of building automation. SE-Elektronic supports you in this area with a structured approach to handling security incidents through our Product Security Incident Response Team (PSIRT).
Our goal is to continuously ensure the security of our products and systems and to minimize potential risks at an early stage. As soon as new vulnerabilities or threats come to light, we promptly provide you with well-founded recommendations for action, security updates, and patches so that you can respond quickly and effectively.
Despite comprehensive testing processes, not all security vulnerabilities can be identified in advance. That is why we rely on the support of our users and partners: If you notice any irregularities, potential vulnerabilities, or security-related anomalies in our products or services, please report them to us through our designated reporting channel.
Together, we help ensure that building automation systems are operated safely and in a way that is future-proof.
Here you will find all current security advisories and announcements published by our PSIRT.
This policy serves as a guide for the responsible identification and reporting of vulnerabilities. It explains how to report potential security vulnerabilities to us in a structured manner and how we handle such reports together with you.
Here, you’ll learn how to report vulnerabilities to us, what information we need, and what the next steps are. Our goal is to work together to find solutions—before the information becomes public.
If you discover security vulnerabilities in our products, we strongly encourage you to report them to us confidentially first. Please give us the opportunity to analyze and resolve the issue before it is made public.
To report product vulnerabilities, please contact us at [email protected]—you may do so anonymously if you wish.
As a token of our appreciation, we are happy to acknowledge reported vulnerabilities and, upon request, mention them by name.
We welcome reports of potential vulnerabilities in our products and digital components. Anyone who conducts security research responsibly and adheres to the principles outlined in this policy is acting in our best interests.
If you proceed to the best of your knowledge, carefully, fairly, and without malicious intent, we will consider your investigation to be authorized security research. Our goal is to work with you to quickly understand and assess reported vulnerabilities and to take appropriate steps to address them.
For the purposes of this policy, we define responsible security research to mean, in particular, that you:
We expressly ask that you not disclose any vulnerabilities you discover without prior consultation. Please give us the opportunity to carefully review the issue and implement appropriate protective measures.
You can find out the best way to report vulnerabilities here.
SE-Elektronic welcomes and supports responsible security research. We will not take legal action against individuals who report potential vulnerabilities in good faith and adhere to the principles outlined in this policy.
This is contingent upon security tests being conducted responsibly, no disruption to systems, data, or users occurring, and any vulnerabilities discovered being reported to us confidentially. Premature or uncoordinated public disclosure must be avoided.
We ask that you allow us sufficient time to analyze and address the reported vulnerability. In this context, we consider such activities to be authorized security research as defined in our Vulnerability Disclosure Policy.
This policy applies to products, software, firmware, and digital components from SE-Elektronic, particularly in the context of building automation and control technology.
It covers all systems and solutions developed, operated, or managed by SE-Elektronic. The goal is to systematically record safety-related information and enable the efficient processing and assessment of potential vulnerabilities.
The scope of application includes, in particular:
This policy does not apply to third-party systems, applications, or services that are not developed, operated, or managed by SE-Elektronic. This includes, in particular, external platforms, infrastructure components, or integrations outside our control.
If you are unsure whether your report falls under this policy, you can still contact us at any time. We will carefully review your inquiry and, if necessary, forward it to the appropriate department.
If you report a vulnerability to us and provide your contact information, we will handle your report in a transparent, structured, and responsible manner.
You will receive an acknowledgment of receipt immediately, so you’ll know that we’ve received your report. An initial technical assessment will be conducted immediately after the initial review. We will then investigate the reported vulnerability together with the relevant departments, development teams, and—if necessary—partners.
Further disclosures will be coordinated and will depend on when a suitable solution, an update, or appropriate protective measures can be made available. Our goal is to responsibly address security vulnerabilities before information is made public.
Please note: We can only provide you with clear feedback on the status of your report if you include your contact information in your email.
You can find the latest reports here.
If a reported vulnerability is confirmed, we carefully coordinate the next steps. We generally do not make the vulnerability public until a suitable solution, an update, or another protective measure is available, or until we have coordinated with the relevant parties.
Depending on the nature and severity of the vulnerability, the disclosure may take the form of a security advisory, for example. If necessary, we coordinate with the appropriate coordinating bodies or partners.
We value the contributions of responsible security researchers. Upon request, we will be happy to consider including a byline or acknowledgment in the publication.
Anyone can report potential security vulnerabilities to SE-Elektronic’s PSIRT—regardless of whether you are a customer, partner, or external security expert.
We strongly encourage you to responsibly share any vulnerabilities you discover with us. No non-disclosure agreement (NDA) or other contract is required for this collaboration. We are committed to handling all reports professionally, systematically, and in a spirit of partnership.
We particularly value our collaboration with the security community—including security researchers, universities, CERTs, business partners, and public institutions.
Since our solutions are also used in critical infrastructure, we ask that you coordinate the disclosure of security vulnerabilities with us. This allows us to ensure that appropriate measures to resolve the issue or minimize the risk can be implemented first.
Please send all emails regarding this matter to [email protected]
PGP Public Key
You can find the PGP key here:
Download Public PGP Key.
PGP Fingerprint: 11F558390E6C13F4D951FA682D0ED4FB560A3277
What information should be included?
To help us process your report quickly and efficiently, please provide the following information, if possible:
Please also let us know—if you have this information—the following:
This information helps us prioritize and assess risks.
Please provide only the personal information necessary to process the vulnerability report.
Please note that, for technical reasons, your sender email address is automatically transmitted when you contact us via email.
If you would like to receive a response—whether you have questions about the vulnerability or after the vulnerability has been resolved—please explicitly state:
“I consent to being contacted”
Our PSIRT coordinates the assessment, investigation, and communication of security vulnerabilities in our DDC controllers, automation solutions, and BACnet-based systems. Our goal is to ensure transparency and provide you with reliable, practical information on IT and OT security at all times.
Here, we publish security advisories regarding confirmed vulnerabilities, including possible countermeasures, updates, and recommendations for the secure operation of your systems. These are available for download as PDF or CSAF files for machine-readable formats.
If you have any questions, please feel free to contact [email protected].
| CVE-ID | Score | Title | Last Update | Reported by | Download PDF | CSAF |
|---|---|---|---|---|---|---|
| CVE-2024-1015 | 9.8 | Multiple vulnerabilities in Firmware V03.07.03 and later Vulnerabilities may allow arbitrary code execution or cause a Denial-of-Service (DoS) system outage | 07 Jul 2026 | Carlos Antonini from Spanish National Cybersecurity Institue, S.A (INCIBE) | CSAF | |
| CVE-2024-1014 | 6.2 | Multiple vulnerabilities in Firmware V03.07.03 and later Vulnerabilities may allow arbitrary code execution or cause a Denial-of-Service (DoS) system outage | 07 Jul 2026 | Carlos Antonini from Spanish National Cybersecurity Institue, S.A (INCIBE) | CSAF |