Vulnerability Disclosure Policy

Last Updated: 27th May 2020

CSL are the trusted choice to provide M2M and IoT connectivity solutions to many sectors including Security, Fire, Telecare, Retail and more. Due to the critical applications that we support; the security, privacy and integrity of our products and services are a top priority to us and something we take very seriously. It is toward this goal that we hope to foster an open partnership with the security community to maintain and improve our posture. We recognise that the work this community does is important in continuing to ensure the safety and security for all CSL customers. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our applications or services. We are committed to working with security researchers to verify and address any potential in scope vulnerabilities that are reported to us.

INITIAL COMMUNITY

Our Vulnerability Disclosure Program initially covers the following ranges of products and services:
• DualCom Pro
• CSL Router
Whilst CSL develops other products, we ask that security researchers submit vulnerability reports only for these stated products/services. We intend to increase our scope as we build capacity and experience with this process.

HOW TO SUBMIT A VULNERABILITY

To submit a vulnerability report to our Vulnerability Disclosure Team, please privately share details of the suspected vulnerability via the following email address: vdp@csl-group.com

We may share your report where it is appropriate to do so, which may include sharing with other affected vendors or security organisations such as UKCERT.

CAVEATS

Whilst we encourage you to discover and report to us any vulnerabilities you may find in a responsible manner, the following conduct is expressly prohibited:

• Performing actions that may negatively affect our services to customers (e.g. Spam, Brute Force, Denial of Service, etc).
• Accessing, or attempting to access, data or information that does not belong to you.
• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
• Conducting any kind of physical or electronic attack on CSL personnel, property or Data Centres.
• Social engineering any CSL service desk, employee or contractor.
• Violating any laws or breaching any agreements in order to discover vulnerabilities.

OUR COMMITMENT

We ask that you do not share or publicise an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report to us, our Vulnerability Disclosure Team will use reasonable efforts to:

• Respond in a timely manner, acknowledging receipt of your vulnerability report.
• Provide an estimated time frame for addressing the vulnerability report.
• Notify you when the vulnerability has been fixed.
• Maintain an open dialog where possible to discuss issues.
We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at CSL.

This website stores cookies on your computer. These cookies are used to improve our website and provide more personalised services to you, both on this website and through other media. To find out more about the cookies we use, please see our Cookie Policy. Please choose to accept or decline the use of cookies.

Thank you for your interest in our email updates.

We wanted to make sure you are aware that we will be storing your details securely and won't share them with any third party advertisers. Full details are available in our privacy policy

Please confirm you'd like to subscribe...
SUBSCRIBE NOW