cab PSIRT — Report vulnerabilities responsibly
Product Security Incident Response Team
The cab PSIRT coordinates the intake, assessment and publication of vulnerabilities in cab products. Did you find a security issue? We welcome your report and will handle it confidentially.
Who we are
The Product Security Incident Response Team (PSIRT) of cab Produkttechnik GmbH & Co KG is the central point of contact for security-related information about our products. We receive vulnerability reports, investigate them, coordinate remediation with our engineering and manufacturing teams, and publish security advisories as soon as a mitigation or update becomes available.
Our process follows the German Federal Office for Information Security (BSI) guidance for EU Cyber Resilience Act conformity (BSI TR-03183-1/2/3).
How the cab PSIRT works
1
Intake
We accept reports by email and acknowledge receipt as soon as possible. Reporters may remain anonymous on request.
2
Assessment
Our team analyses the issue, reproduces it on the affected product versions and rates the severity according to CVSS v3.1.
3
Remediation & disclosure
We provide a mitigation or update and publish a security advisory in the machine-readable CSAF 2.0 format including VEX status information.
Which products are in scope?
The cab PSIRT covers the full cab marking product portfolio with digital interfaces:
- Label printers — including EOS, MACH 4S, SQUIX, XC Q, XD Q
- Print-and-apply systems — HERMES Q, PX Q, AXON
- Labeling heads and label dispensers — IXOR, ROXI
- Marking lasers — XENO
Reports concerning cab software (e.g. cablabel S3, printer drivers, configuration tools) are also handled via the address below.
How to report a vulnerability
Please send your report to the email address below. To allow us to handle your report quickly and consistently, please include as many of the following items as you can:
- Product name and product number
- Description of the vulnerability (ideally with CWE category)
- Observed impact on the product
- Reporter contact (pseudonym is acceptable)
- Firmware or software version
- Steps to reproduce or proof of concept
- Already public? Any planned disclosure?
- Whether you wish to be credited or remain anonymous
Contact
We acknowledge receipt of your report and will come back to you with the next steps.
PGP encryption
Security-related information is sensitive. We strongly recommend that you encrypt your report with our public PGP key.
FINGERPRINT
0ADD 9B47 ED4A FA52 EF90 F42C FDEB 9E9E AC25 D06E
KEY TYPE
Ed25519, valid until 2030-10-21
Please note: If you are contacting us for the first time, attach your own public PGP key to your initial e-mail. That way we can also encrypt our replies to you.
Code of Conduct
Coordinated vulnerability disclosure depends on mutual trust. Here is what we commit to — and what we ask of you in return.
What we promise CAB PSIRT
- We acknowledge receipt of your report and keep you informed about the status of its processing.
- We treat your report and your identity as confidential.
- We credit you by name only if you explicitly request it.
- We share information only with authorised personnel.
- We will not take legal action against you, provided you respect the expectations listed opposite.
What we expect from reporters GROUND RULES
- The vulnerability has not yet been publicly disclosed.
- You submit valid, verifiable technical information.
- You give us the chance to remediate before public disclosure.
- No criminal acts have been committed — in particular no manipulation of third-party data, no denial-of-service against production systems, no interference with third-party infrastructure.
- You provide valid contact details for follow-up — pseudonyms are fine.
Standards & compliance
The cab PSIRT aligns its processes and artefacts with the relevant international and European standards:
EU CRA / BSI TR-03183-1
Cybersecurity requirements for manufacturers — risk assessment, secure development, vulnerability handling
BSI TR-03183-2
SBOM requirements — we ship machine-readable SBOMs per release in CycloneDX and SPDX.
BSI TR-03183-3
Vulnerability reports and security advisories in CSAF 2.0 format with embedded VEX status information.
CVSS v3.1
Common Vulnerability Scoring System used for severity rating.