Home / Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

At Sepura the security of our products is of paramount importance and is a primary focus of our organisation. Whilst we make every effort to maintain a secure environment, it is not possible to eliminate all vulnerabilities. This Vulnerability Disclosure Policy outlines what systems and types of tests are authorised, as well as how to send responsibly generated vulnerability reports. We welcome reports of potential vulnerabilities and encourage you to contact us to report potential security issues in our systems in accordance with this policy.

If you act in good faith to identify and report vulnerabilities on Sepura’s products, we will work with you to investigate and resolve any reported issues. If you comply with the guidelines provided below Sepura will not pursue legal action related to your research.

Prohibited Activities

While carrying out your activities, it is imperative that you:

  • Do not take advantage of the vulnerability or issue you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability, deleting or modifying any other data.
  • Use only non-malicious techniques to confirm that a vulnerability is present.
  • Do not reveal any data downloaded during the discovery of a vulnerability to the public or any other party.
  • Do not reveal the vulnerability or issue to the public or any other party until the reported vulnerability has been resolved.
  • Stop the test(s) upon the discovery of any sensitive information and do not disclose any obtained output to anyone other than Sepura.

Do not perform the following actions:

  • Place malware (virus, worm, Trojan horse, etc.) on any product(s).
  • Compromise any systems using methods to gain full or partial control.
  • Copy, modify or delete data.
  • Make changes to the product(s).
  • Repeatedly access or share access with the public.
  • Attempt to access additional systems using any access to one system that has been successfully obtained.
  • Change access rights of other users.
  • Use automated scanning tools.
  • Use a so-called “brute force” attack to access any systems.
  • Use denial-of-service or social engineering (phishing, vishing, spam, etc.).
  • Use attacks on physical security.

Reporting a vulnerability

If you have identified a vulnerability, please take the following steps:

  • Email your findings to security@sepura.com as soon as possible. Please indicate whether you consent to being publicly credited as the discoverer of the issue.
  • Encrypt your report using this public PGP key to ensure any sensitive information is protected from unauthorised access.
  • Provide us with sufficient information to reproduce and verify the issue so that we can investigate and address it promptly.
  • Provide your report in English to ensure an accurate and efficient investigation.

When you report a vulnerability to us, we will:

  • Respond within five (5) business days with our initial evaluation.
  • Handle your report with strict confidentiality.
  • Where possible, inform you of any resolution to the vulnerability.
  • Process the personal data that you provide (e.g. name, e-mail address) in accordance with applicable data protection laws. We will not share your personal details with any third party without your prior written consent.

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. Without prejudice to paragraph 2 of this policy, this policy does not give you permission to act in any manner that is inconsistent with the law, or which might cause our organisation or partner organisations to be in breach of any legal obligations.