We proactively search for security deficiencies in our products. We monitor public vulnerability databases such as NVD and perform thorough penetration testing. We also appreciate Vulnerability Reports from security analysts around the world.
This page summarizes our vulnerability disclosure policy.
We are listed in the Trusted Introducer database. If you have discovered a security vulnerability in cellular routers or other software developed by Advantech Czech, please send a Report to security@advantech.cz. The report should all relevant information, but at least:
We strongly recommend you to encrypt the information using our public PGP key (fingerprint: A3D0 FAA9 4176 6747 51AB A2A2 8B24 96F7 83AA 66AF).
The e-mail address is intended only for the purpose of reporting security vulnerabilities, which refers to a defect or weakness that can be exploited to disrupt confidentiality, integrity or availability of an ICT system or related information assets. Messages out of this scope will be dropped. For other issues and product related questions please contact the Advantech technical support.
If you have discovered a security vulnerability in other Advantech product, please contact also the Advantech technical support.
We follow the ISO/IEC 29147:2014 recommendations, the Product Security Incident Response Team (PSIRT) Services Framework and the Common Vulnerability Scoring System (CVSS) Version 3.
Our response process has four steps:
| Discovery ► | Triage ► | Remediation ► | Disclosure |
|---|---|---|---|
Monitor published vulnerabilities Perform penetration testing Receive Vulnerability Reports | Assign Tracking ID Assess impact on products Acknowledge Reports | Release software fixes Update Security Guidelines | Publish Security Advisory Update Vulnerability Digest Notify on document updates |
After receiving a Vulnerability Report we calculate its severity (CVSS Base score) and assess impact on our products. We attempt to acknowledge receipt to all submitted reports within seven calendar days. We inform and discuss with the finder a plan for a remediation and a public disclosure.
As each security vulnerability case is different, no particular remediation deadline is guaranteed. The remediation may include software fixes and release of a new product version and/or update to Security Guidelines. Through the whole cycle we maintain discussion with the finder and possibly the affected suppliers (e.g. library vendors) to ensure all concerns are addressed before making a synchronized public disclosure.
Unless the vulnerability is actively exploited, the Security Advisory and the remedy (new Release and/or updated Security Guidelines) are made available at the same time. Customers may use our RSS channel to subscribe for firmware and documentation updates. Registered advanced users may subscribe for e-mail notifications concerning specific documents or router models.
For registered users that agreed with our Security Information Access Terms we also publish and continuously update a Vulnerability Digest in the CVRF/1.1 format. Each CVRF file contains a list of all relevant vulnerabilities and for each vulnerability a list of affected product versions. For more details see the Vulnerability Digest Format description.
The Security Advisories and the Vulnerability Digest are located in the Download section.
