Skip to content
Jump to navigation
Jump to footer

Product Security (PSIRT) — Vulnerability Disclosure Policy

Responsible Vulnerability Disclosure Policy

ifp Software GmbH (oee.ai) takes the security of its products and services seriously. Our Product Security Incident Response Team (PSIRT) is the central point of contact for security researchers, customers, and partners to report potential vulnerabilities in our products and services. We welcome such reports and treat every submission confidentially.

Contact

Please report suspected security vulnerabilities to our central contact point:

psirt@oee.ai

This address serves as our Single Point of Contact in accordance with Article 13(17) of Regulation (EU) 2024/2847 (Cyber Resilience Act). We process reports in German and English. Anonymous reports are expressly welcome. Neither a Non-Disclosure Agreement (NDA) nor a customer relationship is required for a report.

What we ask for in a report

To enable us to respond quickly, the following information is helpful:

  • Affected product, version or firmware status, and – if known – the serial number or device ID
  • Description of the vulnerability and its potential impact
  • Steps to reproduce (Proof of Concept, Logs, Screenshots)
  • Your contact details for follow-up questions

Our Commitments (Safe Harbor)

  • We usually confirm receipt of your report within 3 business days.
  • We will keep you updated on the progress and inform you as soon as the vulnerability is resolved.
  • We will take no legal action against individuals who investigate vulnerabilities in good faith, without disrupting operations and without accessing third-party data, and who report them to us confidentially.
  • We ask you to publish the vulnerability only after mutual agreement and after a fix has been provided (Coordinated Disclosure).

What We Ask You Not to Do

  • No access to, alteration, or deletion of data that does not belong to you
  • No impairment of the availability of our systems or our customers' systems (no Denial of Service)
  • No social engineering attacks on our employees or customers
  • No disclosure of details before coordinated remediation

Scope

This policy applies to the proprietary hardware manufactured by ifp Software GmbH (oee.ai), including the software and firmware running on it, as well as the associated online services operated by us and the oee.ai website.

It does not cover third-party products and components that we merely resell or integrate. Please report vulnerabilities in such products to the respective manufacturer.

ifp Software GmbH · As of: June 2026. This policy is based on the principles of ISO/IEC 29147 (Vulnerability Disclosure) and is regularly reviewed and updated.