EN

Coordinated disclosure policy​

Coordinated Vulnerability Disclosure Policy of the Voith Group

Voith is committed to maintaining a high level of security across all our products, digital services, and supporting systems. Our multi‑layered security concept ensures IT security and data protection and is regularly validated through recognized certifications such as ISO 27001 or IEC 62443.

If you discover a security issue or vulnerability — whether in our digital services, online platforms, or Voith products — we ask that you report it to us responsibly. We will take immediate action to analyze and remediate the issue as quickly as possible.

How to report a vulnerability​

Please send all relevant findings via email to security@voith.com. Alternatively, please contact us by phone at +49-(0)7321-37-2222, mentioning "Coordinated Disclosure".​

To help us investigate effectively, please provide sufficient information to reproduce the issue, along with a way to contact you for follow‑up questions. We ask that you refrain from exploiting the vulnerability—e.g., downloading, modifying, or deleting data; uploading code; or sharing details with third parties.​

Services and products in scope

The scope includes all Voith‑owned or Voith‑operated digital services and all Voith products in which security vulnerabilities may occur. This explicitly covers product‑related software, firmware, embedded systems, and connected components.

The following domains are in scope:

  • *.voith.com
  • *.voith.de
  • *.voith.net
  • *.myvoith.com
  • *.voith.io
  • *.voith.org

Reports concerning services not operated by or under the responsibility of Voith are welcome but may not qualify as in‑scope under this policy.

Qualifying vulnerabilities

Any vulnerability with a credible attack scenario that could impact the confidentiality, integrity, or availability of Voith products, services, or information systems is considered in scope. Examples include:

  • Authentication or authorization issues
  • Cross‑site scripting
  • Server‑side code execution
  • Security flaws in Voith products, their software components, interfaces, or communication mechanisms.

Non-qualifying vulnerabilities

  • Some reports may not fall within the policy scope, such as:
  • Issues already known or previously reported (“first‑come, first‑serve”)
  • Findings resulting from activities that violate applicable laws or compliance rules
  • Vulnerabilities in sandbox or test domains without demonstrable impact
  • Non‑impactful version disclosures or generic email spoofing.

What we promise​

We will inform you about the receipt of your report, furthermore we will keep you informed about relevant results of the internal processing.​

We will take appropriate countermeasures as soon as possible to close the reported vulnerability.​

We will treat your report and related information strictly confidentially and will not disclose your personal data to third parties without your consent.​​

We will not take any legal action against you. This does not apply in cases of recognizable criminal or intelligence intentions.​

The reporter is judged according to his or her abilities and not according to personal aspects such as age, gender, origin, education or social rank.​

We show this respect and gratitude to every reporter by documenting the closed vulnerability in the corresponding documentation or news of the item concerned. If you wish, this can also be done by mentioning your name (or alias). ​

We currently have no general bug bounty program. There is expressly no legal claim to a reward. Decisions in this regard are subject to Voith's sole discretion.​

Voith GmbH & Co. KGaA​

RIGHT OFFCANVAS AREA