- Greater ChinaSimplified ChineseTraditional Chinese
- Germany (Global)GermanEnglishFrenchSpanish
- Middle East & AfricaEnglish
- South AmericaSpanish
- South AsiaEnglish
- South East AsiaEnglish
- United KingdomEnglish
- United States of AmericaEnglish
Cybersecurity @ SMA
Coordinated Vulnerability Handling and Disclosure Process
SMA is committed to help ensuring the safety and security of its products and services and their application by users and customers. SMA follows a holistic and comprehensive approach to secure its products, solutions, services, and IT infrastructure. This approach includes a process for handling and remediating reported security vulnerabilities in its products, solutions, services, and IT infrastructure.
SMA is prepared to work in good faith with individuals and organizations that submit vulnerability reports through ways described in section “Contact Information”. SMA openly accepts reports for SMA products, solutions, services, and IT infrastructure and SMA is happy to acknowledge individuals and organizations that ethically report security issues.
SMA does not intend to engage in legal action against reporting parties who
test and research without harming anyone,
test without affecting customers or received permission from customers before engaging in vulnerability testing against their systems,
adhere to applicable laws,
perform coordinated disclosure,
avoid impact to the safety, security, and privacy of everyone.
To report a security vulnerability affecting an SMA product, solution, or IT infrastructure component, please contact SMA using the ways described in section “Contact Information”. SMA will acknowledge receiving your report within three business days.
Please report the following information:
affected products, services, or IT infrastructure components, including model, firmware version and serial number,
a detailed description of the issue, and the steps required to reproduce what you have observed.
Was the vulnerability already publicly disclosed?
We welcome vulnerability reports from researchers, industry groups, CERTs, partners, and any other source. SMA does not require a non-disclosure agreement (NDA) as a prerequisite for receiving reports and will not ask for NDAs during the coordinated disclosure process.
SMA respects the interests of the reporting party. We also accept anonymous reports. We agree to handle any vulnerability related to SMA products, solutions, or IT infrastructure components.
SMA urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which can put systems at risk. This is especially important as such systems may be part of critical infrastructure.