Responsible Disclosure Policy
Digi International Inc. endeavors to ensure our customers have confidence in the security of our products and services. If you have discovered a security vulnerability on Digi.com or any Digi branded Product or Service, we request that you disclose it to us in accordance with this Responsible Disclosure Standard.
To deliver a safe and secure mechanism for our customer base and researchers, we partner with Bugcrowd Inc. (“Bugcrowd”) and leverage their Vulnerability Disclosure Program platform. Upon validation of a submission, Digi will fix vulnerabilities according to our risk management standards for continued commitment to confidentiality, integrity, and availability of our infrastructure and products.
To report a suspected vulnerability, please submit detailed information using the form at the bottom of this page. Please review the vulnerability submission report data section for suggestions for what to provide for case details.
Security Decorum
Below outlines our expected behavior, etiquette, and principles governing interactions within the context of security related activities for participating in our vulnerability disclosure program.
- Always comply with data protection rules and do not violate the privacy of our users, staff, contractors, services, or systems.
- You must not, for example, share, redistribute or fail to rightly secure data retrieved from the systems or services.
- You must not access, download, or modify data that does not belong to you.
- Do not Disclose any identified or alleged vulnerability addressed in your submission to the public or a third party without express written consent from Digi.
Securely delete all data retrieved during your research as soon as it is no longer required or within one month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
Submission Communication Lifecycle
Digi’s Security Team is committed to coordinating with the researcher as transparently and quickly as possible. The submission lifecycle includes the following:
- Researcher or customer submits the form following our Vulnerability Disclosure Standard and Program.
- All communication with Digi about the vulnerability submitted will be conducted through the email provided in Bugcrowd Vulnerability Disclosure platform submission. (Note: To communicate with Digi and Bugcrowd’s Security team, you must claim the submission through an email validation sent to your email from Bugcrowd.)
- Digi’s security team responsible for vulnerability coordination will acknowledge receipt of potential vulnerabilities within four days of a submission.
- Digi’s security team is specified as Digi_Sec_(name of Digi staff member) in the communication chain and will continuously update the submitter throughout the lifecycle of the vulnerability.
- Bugcrowd and Digi’s security team will assess the vulnerability based on our risk classification system.
- Upon determining the validity of the vulnerability, it will be triaged according to the product team’s lifecycle management process. Results may require action via Digi’s patch policies located here: https://www.digi.com/resources/security/security-policies
Included Submission Types
- Business Logic vulnerabilities
- OWASP Top 10
- Information Disclosure
- Data Exposure
- Authorization/Authentication issues
- Anything outside of the above list that could or currently impacts the confidentiality, integrity, or availability of Digi systems, services, or Digi property can be submitted.
Vulnerability Submission Report Data
The following information would better assist Digi’s and Bugcrowd’s Security team to validate and triage the vulnerability.
- Product or service name, URL, or affected firmware version
- Operating system of involved components
- Version information
- Technical description of what actions were being performed and the result in as much detail as possible
- Sample code that was used to test or demonstrate the vulnerability
- Reporter’s contact information
- Other parties involved, if applicable
- Disclosure plans
- Threat/Risk assessment details of the identified threats and/or risk level (P1(Critical)P2(Severe) P3(Moderate)P4(low)P5(informational))
- Software configuration of the computer or device configuration at time of discovering the vulnerability
- Relevant information about connected components and when the vulnerability occurs (E.g., a secondary component or device triggers the vulnerability)
- Time and date of discovery
- Browser information including type and version information, if applicable
Risk Classification System
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, in some cases, a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher along with the opportunity to appeal and make a case for a higher priority. Before submitting risk assessment information, please consider the severity breakdown we follow with Bugcrowd’s platform:
- P1 Critical: The issue identified in the submission has the highest priority and should be assigned to major blockers. Typically, submissions with a P1 priority classified as a major blocker cause the application to be unusable, has the potential to disrupt business operations, and require immediate attention.
- P2 Severe: This issue identified in the submission is not critical but significantly impacts the application.
- P3 Moderate: The submission does not present a critical or severe issue but does uncover a flaw in the application that needs to be fixed.
- P4 Low: This submission is the lowest priority and represents a minor issue.
- P5 Informational: This submission may provide suspicious information, but not conclusive if it poses any risk.
Prohibited Actions
The following actions are prohibited under this standard. Digi International reserves all legal rights if you engage in any of these prohibited activities.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS)
- If a vulnerability is discovered that may be able to perform a DoS or DDoS type of attack, please submit the information discovered but do not perform the attack.
- DoS testing against Digi International products owned solely by the researcher or customer is acceptable if it is on a network owned and operated by a researcher or customer.
- Spam reports or solicitation
- Phishing, vishing, spear phishing reports
- Social engineering reports
- Open ports with no accompanying demonstration or proof of concept of vulnerability
- Findings generated by automated tools without detailed explanation on what parts are vulnerable and how the vulnerability might be exploited