VULNERABILITY DISCLOSURE POLICY
Updated 9 September 2021
Ampotech Pte Ltd ("Ampotech"/"we"/"us") is committed to delivering safe and secure products and services. When vulnerabilities are discovered, we work diligently to resolve them. This document describes Ampotech’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.
When to contact the Product Security Incident Response Team (PSIRT)
Contact the Ampotech Product Security Incident Response Team (PSIRT) by sending an email to firstname.lastname@example.org if you have identified a potential security vulnerability with one of our products. After your incident report is received, the appropriate personnel will contact you to follow-up.
The email@example.com email address is intended ONLY for the purpose of reporting product or service security vulnerabilities specific to our products or services. For technical support information on our products or services, please our website (www.ampotech.com) or contact firstname.lastname@example.org
Ampotech strives to acknowledge receipt of all submitted reports within three business days.
Receiving security information from Ampotech
Technical information about security advisories related to our products and services are posted on our web site at www.ampotech.com In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability, though there may be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.
When Ampotech is notified by a third party of a potential vulnerability found in our products we will investigate the finding and may publish a coordinated disclosure along with the third party. In some instances Ampotech may receive information about a security vulnerability from a supplier under a confidentiality or non-disclosure agreement. In these cases, Ampotech will work with the supplier to request that a security fix is released although we may not be able to provide details about the security vulnerability.
In scoring or rating vulnerabilities, Ampotech follows standard industry best practices to designate the vulnerability’s potential impact as High, Medium or Low. This approach follows the Common Vulnerability Scoring System (CVSS, which provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors, and researchers to all benefit by adopting a common language of scoring IT vulnerabilities.
Security advisories are written to clearly explain the vulnerability, including the name, the cause and other available information. Advisories provide information about known threats that relate to the vulnerability (e.g. the existence of exploit or proof-of-concept code, discussion or evidence of incident activity). The advisory also describes potential/expected consequences of attacks against the vulnerability.
Generally, security advisories include a list of Ampotech products with a status of Affected, Not Affected or Researching. Affected products will include a link to the fix which can be downloaded from the Ampotech web site (where all updates are maintained) or a recommended workaround and/or a target date for a remediation. In cases where the vulnerability is specific to a particular set of products, Ampotech may only provide a list of the affected products. On occasion, Ampotech may find it necessary to publish a security advisory in advance of completing an impact assessment across all products. In these cases, a status of Researching will be shown. It is recommended that customers visit the security advisory site to stay current with the advisory status.
For product vulnerabilities, the advisory provides information on how to obtain the fix or security patch. In some cases, a workaround may be recommended to help customers protect the affected products in use through operational effort or by limiting use in some way without applying the security fix or patch.
If additional information on the vulnerability is available, the advisory will provide links as a reference. This includes links to the CVE or blog or article citations.
Typically, we look to acknowledge the researcher or finder of the vulnerability and, with their permission, will provide them with a credit.
Security Support Duration
We will provide updates to our devices up to 31st December 2024, and extended support may be provided after the stated date.
NOTE: all aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.