Vulnerability disclosure policy

Telecom Design is committed to ensuring the security of its products and services. We work diligently to resolve security vulnerabilities when we discover them.

However, vulnerabilities can never be completely eliminated, despite best efforts.

We value collaboration with our community of users and researchers who can contribute to the identification of vulnerabilities in our products and services.

Please read this vulnerability disclosure policy before contacting us, and act in compliance with it.

Please note Telecom Design does not offer monetary rewards for vulnerability disclosures.

The Policy covers the disclosure of specific security vulnerabilities found in Telecom Design products or services. Vulnerabilities covered by this Policy are those that represent a weakness found in software or hardware components that, when exploited, may result in a negative impact to confidentiality, integrity, or availability of Telecom Design data or services.

Reporting

If you believe you have found a security vulnerability in one of our products or services, please contact our team by sending an email to vulnerability@telecomdesign.com.
Do not include personal data in your message, only what is necessary to contact you or analyze the vulnerability.

To facilitate our management of your reporting, please include the following information:

• Date of discovery
• Product name, model number, as found on the device, if applicable
• Serial number, and other information of the device, if applicable
• Software version, if applicable
• URL and browser information, if applicable
• Description of the vulnerability: severity, impacted systems, identified threats
• Steps to reproduce the vulnerability. This is to help us understand the reported vulnerability, and allow us to confirm and analyze the vulnerability.

Rules of Engagement

Telecom Design appreciates the efforts and contributions from the security research community and requires that you adhere to the following rules.

Reporter Must:

• Only access data and systems to the extent necessary to confirm the existence of a Security Vulnerability.
• Stop research and/or testing activities upon confirming the existence of a Security Vulnerability, and report findings to Telecom Design without delay.
• Securely delete all data retrieved during research as soon as the Security Vulnerability has been reported and confirmation of acceptance has been received from Telecom Design.
• Wait for written approval from Telecom Design before publicly disclosing details of the Security Vulnerability. Content of the public disclosure must also be approved by Telecom Design.

Reporter Must Not:

• Break any applicable laws or regulations.
• Introduce a new, or attempt to exploit an existing, vulnerability.
• Alter data on our systems or services.
• Engage in social engineering or phishing of customers or employees.
• Demand financial compensation in exchange for the disclosure of a vulnerability.
• Access systems or data beyond what is necessary to identify and report a vulnerability.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt or report any form of denial-of-service attack, or similar attacks.
• Disrupt our services or systems.
• Tamper with alarm system devices or systems belonging to existing clients, even if it is their own.
• Modify, copy, share, corrupt or otherwise impact data processed or stored in Telecom Design products or services.
• Interrupt alarm signals, notifications, or physically tamper with your own alarm system in any manner.
• Perform testing or research against third party services or systems not belonging to Telecom Design, such as against external cloud provider infrastructure.
• Access unnecessary, excessive, or significant amounts of data other than what is required for discovery and confirmation of the vulnerability.

What Not to Report:

• Duplicate reports of Security Vulnerabilities.
• Reports detailing non-exploitable vulnerabilities.
• User interface bugs, user experience bugs, or spelling mistakes.
• Reports indicating that services do not fully align with “best practice”, such as missing security headers or Self cross-site scripting.

Telecom Design Must:

• Acknowledge receipt of vulnerability report within 5 working days else consider resending report.
• Provide a written decision within 30 days as to whether or not the reporter can publicly disclose the vulnerability and any further steps.

Next steps

Telecom Design investigates all reports of Security Vulnerabilities affecting products and services. It is essential that you maintain confidentiality when reporting a vulnerability under this Policy. We ask that you do not disclose your investigation publicly until Telecom Design has completed the investigation, resolved or mitigated the vulnerability, and granted you permission to do so.

Our internal process for addressing the vulnerability will start by reviewing the report and determining its impact, severity, and the complexity prior to implementing remediation actions as appropriate.

Telecom Design reserves the right to share the contents of the submitted vulnerability report and any subsequent findings with relevant parties but will not disclose details associated with the reporter.

Third Party Products or Services

Products, systems, and data not owned by Telecom Design are not covered under this Policy. Reporters must follow responsible disclosure policies provided by respective third parties if they wish to perform research or testing of these systems.

What is vulnerability@telecomdesign.com not intended for?
The vulnerability@telecomdesign.com email address is intended only to report security vulnerabilities on our products or services. It is not intended for general questions, technical support information, or questions about your personal data. For these topics, please contact us via email address: contact@telecomdesign.com.