Vulnerability Disclosure Policy.

Comelit Vulnerability Disclosure Policy.

Since security is of critical importance to us and to our customers, we at Comelit are committed to ensuring the safety and security of our products and services. Comelit supports coordinated vulnerability disclosure and encourages responsible vulnerability testing, we take any reports of potential security vulnerabilities seriously.
To report a potential security vulnerability, please follow these steps.

 

Reporting procedure

  • Submit the Vulnerability Report at security@comelitgroup.com.
  • Please condsider to use our OpenPGP public key (https://comelitgroup.com/openpgp-key.txt) to encrypt any email submissions.
  • Write the Vulnerability Report in English.
  • Provide sufficient contact information, such as:
    1. your email;
    2. name of the person who found the vulnerability.
  • Provide information about the vulnerability:
    1. date when the vulnerability has been detected;
    2. details about how it has been discovered;
    3. a technical description of the vulnerability.
  • Provide as much information as you can on the product or service affected by the vulnerability, like:
    1. version number (hardware and software);
    2. configuration of the setup used.
  • If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such, and possibly encrypted with our PGP key.
  • If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information together with the instructions to reproduce the vulnerability.

 

Internal assessment and action

  1. Comelit will acknowledge receiving your Vulnerability Report within 5 business days.
    • If the Vulnerability Report contains all the required information, Comelit will contact you and provide a unique tracking number;
    • If the Vulnerability Report is not complete (more information is needed), Comelit will request you the missing information. In case the reporter does not respond within 30 days, the report will be automatically considered resolved.
  2. Comelit will start an internal Vulnerability Management Process to manage the reported vulnerability:
    • Vulnerability Identification;
    • Vulnerability Triage;
    • Vulnerability Assessment;
    • Vulnerability Addressing.
  3. Comelit will monitor the status of the Vulnerability Management Process, and will keep you updated until the resolution of the security issue.
  4. Comelit will use existing customer notification processes to manage the release of patches or security fixes, which may include without limitation and at Comelit’s sole discretion, direct customer notification or public release of an advisory notification on our website.
  5. If the vulnerability is actually in a third party component or service which is part of our product/service, Comelit will notify the Vulnerability Report to that third party and advise you of that notification. To that end, please inform us in your email whether it is permissible in such cases to provide your contact information to the third party.

 

Notice

If you share any information with Comelit in the context of responsible disclosure, you are agreeing that the information you submit will be considered as non-proprietary and non-confidential.
Comelit is allowed to use shared information, or part of it, without any restriction. You agree that submitting information does not create any rights for you or any obligation for Comelit.
Personal data is processed by Comelit based on the Privacy Policy.

Use these links to access free software to read and author OpenPGP encrypted messages:
• GnuPG
• Gpg4win