Vulnerability Disclosure Policy

Secure Thingz Ltd welcomes responsible disclosure of vulnerabilities in any of our products. Security researchers are invited to privately contact us by email with the details of vulnerabilities found, optionally encrypting any sensitive information with Open PGP using our public key below.

Please refrain from any wider publication until Secure Thingz agrees to wider publication, which may need to wait until a security patch has been successfully rolled out and affected customers protected.

Our contact details can be found in the file "security.txt" , which contains the email address security-alert@securethingz.com and our GPG public key which you can use to encrypt information about the vulnerability.

We will endeavour to contact you within a week in response to your email, after our vulnerability triage. But note that we may need to coordinate our vulnerability disclosure with other vendors using our products so ask you to be patient - this is for the benefit of all for responsible disclosure.

If you find a vulnerability in one of our products that does result in a security patch, if you desire we will publicly acknowledge your help in identifying the vulnerability in the Security Advisory and/or on this web site.

References

  • Secure Thingz "security.txt"
  • Secure Thingz GPG public key
  • ISO/IEC 29147:2018 Vulnerability disclosure
  • ISO/IEC 30111:2019 Vulnerability handling processes
  • Code of Practice for Consumer IoT Security, UK Government : Department for Digital, Culture, Media & Sport