Contact

BURY’s goal is to offer its customers the best possible automotive technology solutions, but not only that. As a company, we strive to constantly develop, to create new and more technologically advanced products. Despite our constant efforts on the cyber security of products and services, vulnerabilities and threats may arise as a result of new attack vectors.

The program was created to further ensure the cyber security of our products, systems or assets, so we encourage cyber security researchers from around the world to report potential vulnerabilities in their security. We appreciate your support in identifying vulnerabilities, which helps us minimize potential threats to our products, systems and assets.

Legal aspects

The Bury Group will not take legal action against researchers who investigate vulnerabilities in our products, systems and resources, provided that they follow the Product Vulnerability Reporting Regulations

By choosing to participate in this program, you agree to:

• Comply with the Regulations for reporting product vulnerabilities (link)
• Not to disclose vulnerability information and other information obtained and/or collected as part of the vulnerability reporting process (including vulnerability discovery) without prior written approval from BURY Group

Scope of the program

The following vulnerabilities are not included in the scope of the program notification:

• attacks such as Social Engineering (cookie theft, fake login pages, phishing),
• resource exhaustion attacks,
• DoS-type attacks
• ataki naruszające Regulamin zgłaszania podatności produktu.

In addition to the scope listed above, we encourage you to participate in the program and report vulnerabilities found in BURY Group products, systems and resources.

How to report a vulnerability ?

To disclose a potential vulnerability, you must accept the Regulations for Reporting Product Vulnerabilities and send a description using the form.

* I acknowledge that I have read and agree to the Terms and Conditions for reporting product vulnerabilities.

Before completing and submitting the form, read the rules for processing personal data of the Vulnerability Notifier:

1. The Controller of your personal data is BURY Sp. z o. o. with its registered office in Mielec, ul. Wojska Polskiego 4, 39-300 Mielec. Contact with the Controller is possible via e-mail address: rodo@bury.com or mailing address: ul. Wojska Polskiego 4, 39-300 Mielec (hereinafter referred to as “Controller”).

2. Your personal data will be processed for the purpose of handling a vulnerability request submitted via the contact form and further contact with the Submitter- the legal basis for processing will be the legitimate interest of the Controller (Article 6(1)(f) RODO); the Controller’s legitimate interest is to enable the handling of the vulnerability request, including contact with the Submitter.

3. If you have given your consent to the publication of your personal data in the Hall of Fame – the legal basis for processing is consent (Article 6(1)(a) RODO). You can withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing performed before its withdrawal. For evidence purposes, the Controller requests the withdrawal of consents by written or electronic means.

4. Your personal data may be shared with providers of IT systems and services acting on behalf of the Controller. Your personal data may be shared with other Bury Group Companies to the extent necessary to handle a vulnerability report if the content of the report relates to the business area of the respective Group Company.

5. To the extent that the processing of your data is based on your consent – your personal data will be processed until you withdraw it. In other cases, your personal data will be processed for the period necessary for the Controller to handle your request, for a maximum of 6 months, and the period that is necessary to defend the interests of the Bury Group in case of the need to make claims or defend against claims, not longer than until the statute of limitations for claims, and then will be archived.

6. You have the right: to access the content of your data and to request rectification, removal and restriction of processing.

7. Notwithstanding the above, as the basis for the processing of personal data is the premise of the controller’s legitimate interest, the Controller informs about the right to object to the processing of personal data.

8. You also have the right to lodge a complaint with the data protection supervisory authority.

9. Your personal data will not be processed by automated means, including profiling. 10. Provision of data is necessary to handle the application. The consequence of failing to provide personal data will be the inability to service the request.

FORM – Reporter Information

Name/nick:*

E-mail*

Phone Number:

Organization (if applicable):

Vulnerability Details

Date Discovered:

Affected Product/Service:

Please specify the exact product name, version, and relevant hardware or software details.

Type of Vulnerability:

e.g., Injection, XSS, Remote Code Execution, etc.

Description

Detailed Description:

Provide a detailed description of the vulnerability, including the context in which it occurs and its potential impact.”

Steps to Reproduce:

Provide step-by-step instructions on how to reproduce the vulnerability.

Proof of Concept:

Attach any proof of concept (PoC) code, screenshots, or video demonstrating the vulnerability.

Mitigation Suggestions*

Proposed Mitigations:

Provide suggestions for mitigating or fixing the vulnerability.

Disclosure Preferences*

Preferred Disclosure Timeline:

Specify your preferred timeline for disclosure (e.g., immediate, 30 days after acknowledgment, etc.).

Acknowledgment Preference:

Indicate if you would like to be publicly acknowledged in the Hall of Fame.

Legal Disclaimer

Confirmation of Compliance:

I hereby confirm that my research complies with all local laws and the BURY Vulnerability Disclosure Policy.I hereby confirm that I have not performed any unauthorized actions that could cause harm or disruption to BURY’s services or users.

Additional Information*

Attachments:

Attach any additional files or information that could help in understanding and mitigating the vulnerability.

Other Notes:

Provide any additional notes or comments relevant to your submission.

I confirm that I have read and accept the Terms and Conditions for Reporting Product Vulnerabilities.

Information obligation clause:

1. The Controller of your personal data is:
a) BURY sp. z o.o. with its registered office in Mielec, ul. Wojska Polskiego 4, 39-300 Mielec – in relation to personal data contained in messages addressed to BURY sp. z o.o. with its registered office in Mielec.
Contact with the Controller is possible via e-mail address rodo(at)bury.com or the correspondence address: Wojska Polskiego 4, 39-300 Mielec.
b) Research & Development Center BURY sp. z o.o. with its registered office in Mielec, Wojska Polskiego 4, 39-300 Mielec – in relation to personal data contained in messages addressed to Research & Development Center BURY sp. z o.o. with its registered office in Mielec.
Contact with the Controller is possible via the e-mail address rodo(at)bury.com or the correspondence address: Wojska Polskiego 4, 39-300 Mielec.
c) BURY GmbH & Co. KG with its registered office in Löhne, Deutschland, Robert-Koch-Str. 1-7 32584 Löhne – in relation to personal data contained in messages addressed to BURY GmbH & Co. KG with its registered office in Löhne.
Contact with the Controller is possible via the e-mail address infoline(at)bury.com or the correspondence address: Robert-Koch-Str. 1-7 32584 Löhne, Deutschland.
d) BURY-Tlaxcala S.r.l. with its registered office in Avenida Virgen de la Caridad No. 104, CP. 90500 | Ciudad Industrial Xicotencatl II Huamantla, Tlaxcala – in relation to personal data contained in messages addressed to BURY-Tlaxcala S.r.l. Contact with the Controller is possible via e-mail address rodo(at)bury.com or the correspondence address: : Avenida Virgen de la Caridad No. 104, CP. 90500 | Ciudad Industrial Xicotencatl II Huamantla, Tlaxcala.
(BURY sp. z o.o., Research & Development Center BURY sp. z o.o., BURY GmbH & Co. KG and BURY-Tlaxcala S.r.l. are hereinafter referred to as the “Controller”).

2. Your personal data will be processed in order to handle the request or answer the question sent via the contact form – the legal basis for processing of your personal data will be the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR); the legitimate interest of the Controller is to enable handling of requests and answering questions asked by persons interested in services or products of the BURY Group.
3. Your personal data may be transferred to suppliers of IT systems and IT services, acting on behalf of the Controller. Personal data may be made available to other companies of the BURY Group in order to enable handling of requests and answering questions if the content of the inquiry relates to the area of activity of a certain Company from the BURY Group.
4. Your personal data will be processed for the period necessary to handle the request or provide a response by the Controller.
5. You have the right to: access the content of the data and demand their rectification, deletion and limitation of processing.
6. Notwithstanding the above, since the premise of Controller’s legitimate interest is the grounds for the processing of the personal data, please be informed by the Controller of your right to object to the processing of your personal data.
7. You also have the right to lodge a complaint with the supervisory body dealing with the protection of personal data.
8. Providing personal data is necessary to handle the request or answer the question by the Controller. The consequence of not providing personal data will be the inability to handle the request or answer the question sent by you.

Read more