Security at Miele

As a manufacturer of high-quality and durable products, Miele also places the highest demands on the cyber security of its networked devices, apps and web applications. Our specialized cyber security teams are committed to protecting your privacy.

Miele cooperates with the German Federal Office for Information Security (BSI), is a member of the Alliance for Cyber Security, an advisory board member of the CERT@VDE and collaborates with many recognized security experts.

 

Reporting of vulnerabilities

Please send your findings or remarks to the following address:
it-security@miele.com

If your findings or remarks concern one of our products or mobile applications, you are welcome to contact our Product Security Incident Response Team directly.
psirt@miele.com

Ideally, your message should contain the following information:

  • Affected product/application
  • Description of identified vulnerability
  • If available: proof-of-concept code, exploit or packet capture

Service Bulletins

ID, Title Version Last Update (DD/MM/YYYY) Download
MPSB-2019-001, Updates for IBH NetBox 1.0 06/02/2019 Download
MPSB-2019-002, Information on Microsoft RDP Remote Code Execution Vulnerability 1.0 28/05/2019 Download

Security Advisories

ID, Title Version Last Update (DD/MM/YYYY) Download
PSIRT-2019-001, Vulnerabilities in XGW3000 ZigBee Gateway 1.0 17/05/2019 Download
Treck TCP/IP Vulnerabilities (Ripple20) affecting Ethernet Communication Module XKM3000 L MED 1.0 08/07/2020 Download
Miele Benchmark Programming Tool 1.0 12/05/2022 Download
appWash 1.0 21/11/2022 Download

Disclosure Policy

Miele Vulnerability Disclosure Policy

1. Introduction

As a manufacturer of high-quality and durable products, keeping user information safe and secure is a top priority and a core company value for Miele. Therefore, we welcome the contribution of external security researchers for improving security of our products and our IT applications. This policy shows the framework that Miele assures with regard to the responsible disclosure of security vulnerabilities. This policy is subject to changes from time to time and is applicable in its latest version.


2. Scope

This policy applies to all networked and networkable products and components developed, produced or marketed by Miele as well as to all publicly accessible IT applications of Miele.

We are interested in findings, which are exploitable, are leading directly to an exploitable vulnerability or allow to remotely compromise user data.

Please note that reports regarding vulnerabilities with minimal security impact (e.g. missing headers), unverified results of automated scans, vulnerabilities beyond Miele’s control and vulnerabilities in violation of the requirements stated below are out of scope.


3. Eligibility and Responsible Disclosure

If you believe, you have discovered a vulnerability in an IT application or have a security incident to report, please send your findings or remarks to the following address:

it-security@miele.com

If your findings or remarks concern one of our products or mobile applications, you are welcome to contact our Product Security Incident Response Team (PSIRT) directly:


psirt@miele.com

 

Ideally, your message should contain the following information:

  • Affected product/application
  • Description of identified vulnerability
  • If available: proof-of-concept code, exploit or packet capture

To accelerate the reporting process, we ask that you:

  • Share the security issue with us in detail;
  • Be respectful of our applications and systems and do not disrupt operations;
  • Give us a reasonable time to respond to the issue before publicly disclosing any information. We will try to contact you as soon as possible and eliminate a vulnerability within a period of 90 days. During this time, we ask you to keep all communications and information confidential. We reserve the right to change deadlines based on extreme circumstances;
  • Do not access or modify our data or our users’ data, without our explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to the aforementioned e-mail address;
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service); and
  • Otherwise, comply with all applicable laws. 
     

4. Consequences of Complying with this Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy in its current version. We consider activities conducted consistent with this policy to constitute “authorized” conduct. To the extent, that your activities are inconsistent with certain restrictions in our Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope.

We would like to thank you as an important contributor. Your hints and messages support us in making our systems more secure. We would like to express our gratitude and welcome you to our Hall of Fame. Please let us know if and under which name we can list you there.

Hall of Thanks

Miele would like to thank all persons and organizations who have contributed to improve the security of the devices, apps and web applications.

Name Organisation Year

Ruben Meeuwissen

April 2024

Dzmitry Smaliak

March 2024

Bob van der Staak

June 2023

Daniel Waßmer

February 2023

Phyo WaThone Win

January 2023

Bishoy Roufael 

November 2022

Subhamoy Guha

Mai 2022

Yassine Nafiai

July 2021

Gourab Sadhukhan

December 2020

Senna van Hoek

August 2020

Pritam Mukherjee

July 2020

Ismail Tasdelen

February 2020

Maxim Rupp

rupp.it

May 2019

Ismail Tasdelen

February 2018

SecuNinja (@secuninja)

April 2017

DE EN