We proactively search for security deficiencies in our products. We monitor public vulnerability databases such as NVD and perform thorough penetration testing. We also appreciate Vulnerability Reports from security analysts around the world.
This page summarizes our vulnerability disclosure policy.
If you have discovered a security vulnerability in cellular routers developed by Advantech Czech, please send a Report to firstname.lastname@example.org. The report should all relevant information, but at least:
We strongly recommend you to encrypt the information using our public PGP key (fingerprint: A3D0 FAA9 4176 6747 51AB A2A2 8B24 96F7 83AA 66AF).
The e-mail address is intended only for the purpose of reporting security vulnerabilities, which refers to a defect or weakness that can be exploited to disrupt confidentiality, integrity or availability of an ICT system or related information assets. Messages out of this scope will be dropped. For other issues and product related questions please contact the Advantech technical support.
If you have discovered a security vulnerability in other Advantech product, please contact also the Advantech technical support.
We follow the ISO/IEC 29147:2014 recommendations, the Product Security Incident Response Team (PSIRT) Services Framework and the Common Vulnerability Scoring System (CVSS) Version 3.
Our response process has four steps:
|Discovery ►||Triage ►||Remediation ►||Disclosure|
Monitor published vulnerabilities
Perform penetration testing
Receive Vulnerability Reports
Assign Tracking ID
Assess impact on products
Release software fixes
Update Security Guidelines
Update Vulnerability Advisory
Publish Release Notes
Notify on document updates
After receiving a Vulnerability Report we calculate its severity (CVSS Base score) and assess impact on our products. We attempt to acknowledge receipt to all submitted reports within seven calendar days. We inform and discuss with the finder a plan for a remediation and a public disclosure.
As each security vulnerability case is different, no particular remediation deadline is guaranteed. The remediation may include software fixes and release of a new product version and/or update to Security Guidelines. Through the whole cycle we maintain discussion with the finder and possibly the affected suppliers (e.g. library vendors) to ensure all concerns are addressed before making a synchronized public disclosure.
Unless the vulnerability is actively exploited, the Vulnerability Advisory and the remedy (new Release and/or updated Security Guidelines) are made available at the same time. Customers may use our RSS channel to subscribe for firmware and documentation updates. Registered advanced users may subscribe for e-mail notifications concerning specific documents or router models.
Registered users that agreed with our Security Information Access Terms can access Vulnerability Advisories in the CVRF/1.1 format and other security-related documents with limited distribution. To qualify, you need to sign Security Information Access Terms (PDF file), upload the document via your Profile and get approved. Please contact us at email@example.com for more information.
For vulnerability Disclosure we follow the Common Vulnerability Reporting Framework (CVRF) v1.1. We publish and continuously update Vulnerability Advisories in a form of machine readable CVRF files, one for each product group. Each CVRF file contains a list of all relevant vulnerabilities and for each vulnerability a list of affected product versions. For more details see the Vulnerability Advisory Format description.