Contact Cyber Security PMAG

At PIERER Mobility AG, we prioritize the safety and security of our customers above all else. Despite our efforts to implement the best possible security measures, vulnerabilities may still be present in our products, services, or systems. If you have identified any vulnerabilities, we encourage you to report them so that we can promptly address them.

SCOPE

Reports are accepted for evaluation if they refer to websites, services, or vehicles of the PIERER Mobility Group.

HOW TO SUBMIT A VULNERABILITY

To disclose a potential vulnerability, please send your results to vulnerability@pierermobility.com using PGP or S/MIME. The corresponding public key can be downloaded here.

<Insert here: Download: PGP key file>

How to report

  • Please send the information in English or German.
  • State time and date of discovery.
  • Include the Product Model and number. Also include all software version numbers that you are aware of.
  • Detailed description of the vulnerability that allows us to reproduce it, including e.g. utilized tools, target, processes, and results. Also include the artefacts used for discovery.
  • Proposed correction of the vulnerability, if available.
  • Refrain from accessing any data, whether personal or non-personal, that is not explicitly assigned to you or without having obtained prior consent.
  • Do not engage in any activities that could cause harm to yourself or others, or lead to potentially dangerous situations, such as tampering with vehicles while driving.

Acknowledgement and Response

We try to respond to your report within five business days with a first acknowledgement and try to complete our internal analysis within ten business days.

In case we need additional information, we will reach out to you. Additionally, we will keep you updated on the status of the vulnerability.

Please be aware that the timelines mentioned may not be guaranteed. Nonetheless, our security team will endeavor to keep you informed about the progress of any reported vulnerabilities.

Please note that addressing a vulnerability in a vehicle differs significantly from handling vulnerabilities in classic IT systems. Vehicles are subject to stringent legal requirements and safety standards. Consequently, developing a potential patch for a vehicle may involve a longer timeframe.

Data Privacy

All personal data in connection with a vulnerability report will be processed in accordance to PIERER Mobility Group’s internal data privacy procedures and in compliance with all applicable laws.

The following data may be processed by the responsible vulnerability team (if provided):

  • identity, function, and contact details of the reporter,
  • reported information, facts, and evidences, and
  • actions taken to process the alert.

Data retention depends on the result of the investigation, however, and can differ depending on local legal requirements. When:

  • the alert is unsubstantiated: all collected data will be deleted from the system in due course;
  • the alert is substantiated: all collected data will be deleted in due course according to applicable law, following the end of the verification of the reported facts, or when they are no longer relevant.