Cybersecurity & Coordinated Vulnerability Disclosure (CVD)
At CMZ Sistemi Elettronici Srl, we consider the security and cyber resilience of our motion control systems a top priority.
In compliance with EU Regulation 2024/2847 (Cyber Resilience Act), we adopt a coordinated vulnerability disclosure policy to promptly identify and address any security flaws in our products (hardware, firmware, software, and applications).
We ask customers, industry partners and independent researchers to collaborate with us, by reporting any potential vulnerabilities found in our devices.
1. Scope
This policy applies exclusively to cybersecurity vulnerabilities discovered on CMZ’s currently supported products:
- FCT series Programmable Controllers and PLCs (FCT641, FCT640, FCT300, FCT200).
- SBD, LBD, IBD, and SSD series Smart Drive Servo Drives.
- Development and Tuning Software (SDSetUp, GEM Drive Studio).
- Motion Libraries and Packaging Applications (HFFS, VFFS, flying shear).
Out of Scope: Reports regarding the company’s IT infrastructure or the CMZ main website (issues configuring the site’s SSL certificates, SPF/DMARC records, DDoS attacks) are not covered by this policy and will not be addressed.
2. Rules of engagement
To ensure secure operation and protect the business continuity of industrial plants, reporters must comply with the following rules:
- No operational damage: performing tests that could cause the unexpected shutdown of operational machines, physical damage to equipment, or production interruptions is prohibited (avoiding massive DoS/Brute Force attacks).
- Confidentiality (Coordinated Disclosure): the reporter agrees not to publicly disclose the details of the vulnerability until CMZ has validated the flaw and released a security patch or effective mitigation measure.
- Use of data: do not collect, modify or destroy data belonging to third parties during firmware or software analysis.
CMZ agrees not to take legal action against reporters who act in good faith in full compliance with these rules.
3. How to submit a report
If you have identified a vulnerability, please submit a detailed report exclusively through the following channels:
- 📧 Dedicated email: cybersecurity[AT]cmz.it
- 🔐 Encryption (Recommended): To protect sensitive information before the patch is released, please encrypt the message using our PGP Public Key.
Fingerprint: B701CC79F481E0C2C15361928205143AFB53A27C
The PGP key is available for download here: PGP Key Download
Required information in the Report:
- Hardware product model and exact affected firmware/software version.
- Detailed description of the flaw and clear steps to reproduce it (Proof of Concept – PoC).
- Estimated potential impact on the control system or axis motion.
4. Our management process and timelines
CMZ manages reports in accordance with the timeframes set by European authorities and the CRA:
- Receipt (within 48 business hours): we will send a confirmation of receipt of the report to the sender.
- Triage and Validation (within 10 business days): our R&D team will analyze the report to verify the presence of the bug and assess its severity.
- Resolution and Patching: if the vulnerability is confirmed, CMZ will develop a corrective software or firmware patch. Impacted customers will be notified directly or via a security bulletin in the download area.
- Reporting to Authorities: in the event of a critical vulnerability being actively exploited on the market, CMZ will notify the Italian National CSIRT and ENISA within the legal deadlines (24/72 hours).

