Vulnerability Disclosure Policy
Last Updated: 24th March 2023
CSL are the trusted choice to provide M2M and IoT connectivity solutions to many sectors including Security, Fire, Telecare, Retail and more. Due to the critical applications that we support; the security, privacy and integrity of our products and services are a top priority to us and something we take very seriously. It is toward this goal that we hope to foster an open partnership with the security community to maintain and improve our posture. We recognise that the work this community does is important in continuing to ensure the safety and security for all CSL customers. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our applications or services. We are committed to working with security researchers to verify and address any potential in scope vulnerabilities that are reported to us.
Our Vulnerability Disclosure Program initially covers the following ranges of products and services:
• DualCom Pro
• CSL Router
Whilst CSL develops other products, we ask that security researchers submit vulnerability reports only for these stated products/services. We intend to increase our scope as we build capacity and experience with this process.
HOW TO SUBMIT A VULNERABILITY
To submit a vulnerability report to our Vulnerability Disclosure Team, please privately share details of the suspected vulnerability via the following email address: firstname.lastname@example.org
We may share your report where it is appropriate to do so, which may include sharing with other affected vendors or security organisations such as UKCERT.
Whilst we encourage you to discover and report to us any vulnerabilities you may find in a responsible manner, the following conduct is expressly prohibited:
• Performing actions that may negatively affect our services to customers (e.g. Spam, Brute Force, Denial of Service, etc).
• Accessing, or attempting to access, data or information that does not belong to you.
• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
• Conducting any kind of physical or electronic attack on CSL personnel, property or Data Centres.
• Social engineering any CSL service desk, employee or contractor.
• Violating any laws or breaching any agreements in order to discover vulnerabilities.
We ask that you do not share or publicise an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report to us, our Vulnerability Disclosure Team will use reasonable efforts to:
• Respond in a timely manner, acknowledging receipt of your vulnerability report.
• Provide an estimated time frame for addressing the vulnerability report.
• Notify you when the vulnerability has been fixed.
• Maintain an open dialog where possible to discuss issues.
We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at CSL.