Coordinated Vulnerability Disclosure (CVD) Policy

Elementar Analysensysteme GmbH — last updated 2026-06-18

Elementar Analysensysteme GmbH takes the security of its products and services seriously. We welcome reports from security researchers and the wider community and are committed to handling them in a coordinated and transparent manner, in line with the EU Cyber Resilience Act (Regulation (EU) 2024/2847) and good industry practice.

This policy applies to all products, services and online systems operated by Elementar Analysensysteme GmbH.

If you believe you have found a security vulnerability, please contact us:

• Email: cyber.security@elementar.com
• Security page: https://www.elementar.com/en/cvd-policy
• Preferred languages: English, German

Please include enough information to reproduce the issue: affected product/version, a description of the impact, and step-by-step instructions or a proof of concept.

• We will acknowledge your report within 5 business days.
• We will keep you informed about our progress as we triage and remediate the issue.
• We aim to remediate confirmed vulnerabilities and coordinate public disclosure within 90 days, working with you on the timeline where possible.
• With your permission, we are happy to credit you once the issue is resolved.

Elementar Analysensysteme GmbH will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy. We consider security research conducted under this policy to be authorized. Please act in good faith, avoid privacy violations, data destruction and service disruption, and only interact with accounts you own or have explicit permission to test.

Findings that require physical access, social engineering of our staff, denial-of-service (DoS/DDoS) attacks, or reports from automated scanners without a demonstrable impact are generally considered out of scope.