Abetechs GmbH (Grundig Security) Vulnerability Disclosure Policy

Purpose

Our goal is to ensure the security of our users and products. We welcome vulnerability reports and cooperate with security researchers to promptly fix issues.

How to Report a Vulnerability

The preferred method for contacting Abetechs GmbH (Grundig Security) regarding such vulnerabilities and errors is by using email: Security.advisories@abetechs.com

Please note that supplying your contact information with your report is entirely voluntary and at your discretion.

Participating in this vulnerability disclosure does not give you any right to intellectual property owned by Abetechs GmbH (Grundig Security) or a third party.

What We Expect from Researchers

Detailed description of the vulnerability
Steps to reproduce (if possible)
Information about affected product versions
Contact information for follow-up (email)

How We Handle Reports

Acknowledge receipt within 5 business days
Collaborate to verify and assess the vulnerability
Work on a fix and prepare an advisory
Publish the advisory within a reasonable timeframe considering severity

Advisory Publication

Abetechs GmbH (Grundig Security) publish vulnerability advisories on website, on the same page with Disclosure Policy.

Advisory list

ID	Date	Product	Description / Issue Summary	Affected Versions	Status / Fix
CWERK-2025-1	2024-07-10	C-Werk	Exposure of Licensing-Related Sensitive Information in Diagnostic Dumps	2.0.0 – 2.0.1	Fixed in v. 2.0.2
CWERK-2025-2	2024-10-12	C-Werk	Improper Session Cleanup on Role Removal in Web Admin Panel	before 2.0.3r	Fixed in v. 2.0.3
CWERK-2025-3	2025-01-19	C-Werk	Incorrect Evaluation of LDAP Nested Groups during Login	before 2.0.2	Fixed in v. 2.0.2
Unauthorized change of serial number and MAC address via API call.	2025-07-01	Smartline Cameras with FW V31.35.8.2.3.4 and timestamp 2310XX	A specific POST API request allows to change sensitive / embedded data like serial number and MAC address of the device. If certain values are changed, operation can no longer be guaranteed. Device can be bricked if non-ASSCI symbols are submitted.		FW V31.35.8.2.3.4 with timestamp 2401XX and above
Unauthorized change of serial number and MAC address via API call.	2025-07-01	Smartline NVR with FW V31.35.8.2.3.4 and timestamp 2310XX	A specific POST API request allows to change sensitive / embedded data like serial number and MAC addresses of the device. If certain values are changed, operation can no longer be guaranteed. Device can be bricked if non-ASSCI symbols are submitted.		FW V31.35.8.2.3.4 with timestamp 2401XX and above