To improve the user experience on this site we use cookies. I agree | I disagree

Security inquiries and reports

We proactively search for security deficiencies in our products. We monitor public vulnerability databases such as NVD and perform thorough penetration testing. We also appreciate Vulnerability Reports from security analysts around the world.

This page summarizes our vulnerability disclosure policy.

 

Report Vulnerability

If you have discovered a security vulnerability in cellular routers developed by Advantech Czech, please send a Report to security@advantech.cz. The report should all relevant information, but at least:

  • Finder’s contact information;
  • System information such as product name, firmware version, user modules and configuration (you can Save Report from the web-admin / System Log);
  • Technical details such as steps to trigger the vulnerability, sample packet capture or the exploit/attack code;
  • Disclosure plans, if any.

We strongly recommend you to encrypt the information using our public PGP key (fingerprint: A3D0 FAA9 4176 6747 51AB  A2A2 8B24 96F7 83AA 66AF).

The e-mail address is intended only for the purpose of reporting security vulnerabilities, which refers to a defect or weakness that can be exploited to disrupt confidentiality, integrity or availability of an ICT system or related information assets. Messages out of this scope will be dropped. For other issues and product related questions please contact the Advantech technical support.

If you have discovered a security vulnerability in other Advantech product, please contact also the Advantech technical support.

 

Response Process

We follow the ISO/IEC 29147:2014 recommendations, the Product Security Incident Response Team (PSIRT) Services Framework and the Common Vulnerability Scoring System (CVSS) Version 3.

Our response process has four steps:

Discovery ►Triage ►Remediation ►Disclosure

Monitor published vulnerabilities

Perform penetration testing

Receive Vulnerability Reports

Assign Tracking ID

Assess impact on products

Acknowledge Reports

Release software fixes

Update Security Guidelines

Update Vulnerability Advisory

Publish Release Notes

Notify on document updates

 

After receiving a Vulnerability Report we calculate its severity (CVSS Base score) and assess impact on our products. We attempt to acknowledge receipt to all submitted reports within seven calendar days. We inform and discuss with the finder a plan for a remediation and a public disclosure.

As each security vulnerability case is different, no particular remediation deadline is guaranteed. The remediation may include software fixes and release of a new product version and/or update to Security Guidelines. Through the whole cycle we maintain discussion with the finder and possibly the affected suppliers (e.g. library vendors) to ensure all concerns are addressed before making a synchronized public disclosure.

Unless the vulnerability is actively exploited, the Vulnerability Advisory and the remedy (new Release and/or updated Security Guidelines) are made available at the same time. Customers may use our RSS channel to subscribe for firmware and documentation updates. Registered advanced users may subscribe for e-mail notifications concerning specific documents or router models.

Registered users that agreed with our Security Information Access Terms can access Vulnerability Advisories in the CVRF/1.1 format and other security-related documents with limited distribution. To qualify, you need to sign Security Information Access Terms (PDF file), upload the document via your Profile and get approved. Please contact us at security@advantech.cz for more information.

 

Vulnerability Advisories

For vulnerability Disclosure we follow the Common Vulnerability Reporting Framework (CVRF) v1.1. We publish and continuously update Vulnerability Advisories in a form of machine readable CVRF files, one for each product group. Each CVRF file contains a list of all relevant vulnerabilities and for each vulnerability a list of affected product versions. For more details see the Vulnerability Advisory Format description.

Conel OS Advisory

  advantech-conel-os-allitems-cvrf.xml | 4 MB (07.07.2020)

  advantech-conel-os-allitems-cvrf.xml.sig | 438 bytes (07.07.2020) | PGP Signature