Abetechs GmbH (Grundig Security) Vulnerability Disclosure Policy

Introduction & Purpose

At Abetechs GmbH (Grundig Security), protecting our customers and the integrity of our products is a core priority. We welcome collaboration with the security research community and appreciate responsible vulnerability reporting. This policy explains how to report security issues and what you can expect from us during the process.

This policy applies to all vulnerabilities identified in Grundig Security products and solutions that are developed and maintained by us. It does NOT apply to third-party accessories, storage media, or other peripheral items offered on our website for compatibility or convenience, where security responsibility lies with the original manufacturer.

How to Contact Us

If you believe you have discovered a security issue in a Grundig Security product or service, please notify us by email at: security.advisories@abetechs.com

Participation in this process does not grant rights to intellectual property owned by Abetechs GmbH (Grundig Security) or third parties.

What to Include in a Report

To help us investigate effectively, please provide as much detail as possible

• Affected product and version
• Description of the issue and potential impact
• Steps to reproduce or a proof of concept (if available)
• Suggested remediation or workaround (if known)
• Preferred disclosure timeline (if applicable)

We generally treat the following as security vulnerabilities: memory management errors, injection flaws, XSS, CSRF, privilege escalation, authentication/authorization weaknesses, misconfigurations with security impact, information disclosure, and supply chain issues directly affecting Grundig Security products.

We typically do NOT consider: configuration hardening recommendations without security impact, social engineering or physical attacks, denial-of-service from resource exhaustion without a specific flaw, issues in end-of-life products (Legacy products tab on Grundig-security.com), or vulnerabilities in third-party components not maintained by Grundig Security.

Our Response Process

• Acknowledgment: we confirm receipt of your report within 2 business days.
• Assessment: within 14 business days, we evaluate the issue and its severity.
• Progress Updates: we provide updates at least every 30 days until resolution.
• Publication: If accepted, we publish the relevant vulnerability report on our website in the «Disclosure policy» section.

Disclosure Timeline

Our standard timeframe for coordinated disclosure is up to 90 days from acknowledgment. This may be adjusted in agreement with the reporter, depending on severity and complexity.

We work closely with security researchers to coordinate public disclosure in a way that ensures timely fixes and reduces risk for our users.

Researcher Acknowledgment

With the researcher’s consent, we will credit contributions in the related advisory and, where applicable, in the corresponding CVE Record.

Grundig Security does not operate a public bug bounty program and does not provide financial rewards. However, we value the efforts of the security research community and recognize researchers who report vulnerabilities responsibly.

Safe Harbor & Legal Considerations

If you follow this policy and act in good faith:

• We will not pursue legal action against you.
• Security testing conducted under this policy will be considered authorized.

Good-faith research does NOT include activities such as accessing, altering, or exfiltrating data beyond what is necessary to demonstrate the vulnerability, or intentionally impacting the availability, confidentiality, or integrity of Grundig Security services or customer data.

Contact Details

For all vulnerability reports and security-related inquiries: Email: security.advisories@abetechs.com

Advisory list

ID	Date	Product	Description / Issue Summary	Affected Versions	Status / Fix
CWERK-2025-1	2024-07-10	C-Werk	Exposure of Licensing-Related Sensitive Information in Diagnostic Dumps	2.0.0 – 2.0.1	Fixed in v. 2.0.2
CWERK-2025-2	2024-10-12	C-Werk	Improper Session Cleanup on Role Removal in Web Admin Panel	before 2.0.3r	Fixed in v. 2.0.3
CWERK-2025-3	2025-01-19	C-Werk	Incorrect Evaluation of LDAP Nested Groups during Login	before 2.0.2	Fixed in v. 2.0.2
GU-IPC-1	2025-07-01	SmartLine IPS	A specific POST API request allows to change sensitive / embedded data like serial number and MAC address of the device. If certain values are changed, operation can no longer be guaranteed. Device can be bricked if non-ASSCI symbols are submitted.	V31.35.8.2.3.4 and timestamp 2310XX	FW V31.35.8.2.3.4 with timestamp 2401XX and above
GU-NVR-1	2025-07-01	SmartLine NVR	A specific POST API request allows to change sensitive / embedded data like serial number and MAC addresses of the device. If certain values are changed, operation can no longer be guaranteed. Device can be bricked if non-ASSCI symbols are submitted.	FW V31.35.8.2.3.4 and timestamp 2310XX	FW V31.35.8.2.3.4 with timestamp 2401XX and above