Security Policy

Vulnerability Disclosure & Security Incident Reporting Policy – Autonoma Technologies GmbH

1. Purpose

Autonoma is committed to ensuring the security of its Industrial IoT solutions, including OT hardware, edge gateways, and cloud platform services.

This policy defines a clear and responsible process for:

• Reporting security vulnerabilities
• Reporting security incidents
• Enabling structured and secure communication between reporters and Autonoma

2. Scope

This policy applies to all systems and services operated by Autonoma, including:

• Industrial IoT hardware (industry PCs, gateways, embedded systems)
• Edge and VPN connectivity components
• Cloud platform and APIs
• Web applications and supporting infrastructure

3. What to Report

3.1 Vulnerabilities

Weaknesses that could be exploited to:

• Gain unauthorized access
• Escalate privileges
• Extract or manipulate data
• Disrupt services

3.2 Security Incidents

Actual or suspected events such as:

• Unauthorized access attempts
• Data breaches or suspected exposure
• Active exploitation of a vulnerability
• Compromise of systems or accounts
• Malicious activity affecting Autonoma services

4. How to Report

Security issues can be reported via:

• Email: security@autonoma.cloud
• Portal: Incident & Vulnerability Reporting Portal

5. Required Information

To enable effective handling, please provide:

• Description of the issue
• Affected system or component
• Steps to reproduce (if applicable)
• Observed or potential impact
• Supporting evidence (logs, screenshots, PoC)

6. Reporter Identification

When submitting a report via email or the service portal, a valid email address (and portal authentication where applicable) is required. This is necessary to:

• Acknowledge receipt of the report
• Request additional information if needed
• Provide updates during investigation and remediation
• Coordinate responsible disclosure
• Clarify technical details and avoid misunderstandings

Autonoma treats reporter information confidentially and uses it solely for handling the reported issue.

7. Our Commitment

Autonoma commits to:

• Acknowledge receipt of reports within 48 hours
• Perform an initial triage and validation
• Prioritize based on severity and impact
• Provide updates during remediation where appropriate
• Handle all reports confidentially

8. Handling Process

8.1 Vulnerabilities

Reported vulnerabilities are:

1. Logged and tracked internally
2. Assessed and classified (Critical / High / Medium / Low)
3. Assigned to responsible teams
4. Remediated according to internal SLAs
5. Verified and closed after resolution

8.2 Security Incidents

Reported incidents are handled according to Autonoma's Incident Response Process:

1. Identification and validation
2. Classification and severity assessment
3. Containment and mitigation
4. Investigation and root cause analysis
5. Recovery of affected systems
6. Communication with affected stakeholders
7. Documentation and post-incident review

9. Coordinated Disclosure

Autonoma supports coordinated vulnerability disclosure:

• Public disclosure should only occur after remediation or mutual agreement
• Autonoma may publish advisories if appropriate
• Reporters will be informed before disclosure where possible

10. Responsible Disclosure Guidelines

We ask that you:

• Act in good faith
• Do not exploit vulnerabilities beyond demonstration
• Do not access or modify data that is not your own
• Do not disrupt services or systems
• Provide sufficient detail for reproduction

11. Safe Harbor

Autonoma will not pursue legal action against individuals who:

• Follow this policy
• Act in good faith
• Avoid causing harm or disruption

12. Contact

Security Contact: security@autonoma.cloud
Incident & Vulnerability Reporting Portal: autonoma-corp.atlassian.net/servicedesk/customer/portal/4

13. Disclaimer

This policy supports responsible security research and transparent communication. It does not grant authorization for activities that violate applicable laws or regulations.