Direkt zum Inhalt wechseln

Cybersecurity at Yunex Traffic

We protect what is important to you.

Yunex Traffic is committed to help ensuring the safety and security of its customers’ facilities. Therefore, we follow a holistic and comprehensive approach to secure our products, solutions, services, and IT infrastructure. We have formalized a process for handling reported security vulnerabilities in our product portfolio and IT infrastructure.

Information security

The many benefits of an increasingly digital and connected world come at a price: cyber-attacks have become a serious threat. They affect not only our data, but also our daily lives. That is why comprehensive security mechanisms and a security-oriented mindset are essential in any organisation. Cyber security is a highly sensitive area that requires a trusted partner. They need to understand how products, systems and technical solutions fit with a company’s processes and people. Cybersecurity is a very high priority for us. That’s why we make it a point to be ISO/IEC 27001 certified once a year to ensure that we have the best processes and technologies in place for the constantly and rapidly changing battlefield.

We are prepared to work in good faith with individuals that submit vulnerability reports via the channels described in section “Contact Information”. We openly accept reports for currently listed Yunex Traffic products, solutions, and Yunex Traffic IT infrastructure. We credit individuals that ethically report security issues in Yunex Traffic‘ product, solutions, services, or infrastructure. However, we do not intend to engage in legal action against individuals who:

  • Engage in testing of systems/research without harming anyone.
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
  • Adhere to the applicable laws.
  • Perform coordinated disclosure, i.e., refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
  • Avoid impact to the safety or privacy of anyone.

Vulnerability Handling

Vulnerability Handling and Disclosure Process

The vulnerability handling process consists of the following four steps at Yunex Traffic:

1. Report

To report a security vulnerability affecting a Yunex Traffic product, solution or infrastructure component, please contact Yunex Traffic using the channels described in section Compliance (or see „Cybersecurity contact“ below). Yunex Traffic usually responds to incoming reports within one to two business days (reference: Munich, Germany).

Please report the following information:

  • Description of vulnerability, including proof-of-concept exploit code or network traces (if available)
  • Affected product, solution or infrastructure component, including model and firmware version (if available)
  • Publicity of vulnerability (was it already publicly disclosed?)

Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status. Yunex Traffic welcomes vulnerability reports from researchers, industry groups, CERTs, partners and any other source as Yunex Traffic does not require a nondisclosure-agreement as a prerequisite for receiving reports. Yunex Traffic respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to Yunex Traffic products, solutions or infrastructure components. Yunex Traffic urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts Yunex Traffic’ customer systems at unnecessary risk. Those systems comprise significant parts of the worldwide critical infrastructure.

2. Analysis

Yunex Traffic investigates and reproduces the vulnerability. If needed, Yunex Traffic will request more information from the reporter.

3. Handling

Yunex Traffic performs internal vulnerability handling in collaboration with the responsible development groups. National and Governmental CERTs having a partnership with Siemens ProductCERT may be notified about a security issue in advance. During this time, regular communication is maintained between Yunex Traffic and the reporting party to inform about the status and to ensure that the vendor’s position is understood by the reporting party. If available, pre-releases of software fixes may be provided to the reporting party for verification.

4. Disclosure

After the issue was successfully analysed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be developed and prepared for distribution. Yunex Traffic will use existing customer notification processes to manage the release of patches, which may include direct customer notification, or public release of a security advisory containing all necessary information on the Yunex Traffic website.

Cybersecurity Contact

Feel free to contact us in any security-related question on the Yunex Traffic portfolio or infrastructure, and particularly if you want to report a potential security issue.

Contact us: cybersecurity@yunextraffic.com

Please bear in mind that only emails composed in English or German can be considered. You can expect us to respond till the next business day in Germany (City: Munich).