Coordinated Vulnerability Disclosure Policy Intelbras

 

Intelbras, a company that offers innovative solutions in security, networks, communication and energy, is committed to ensuring the safety of our customers. In this sense, Intelbras is formalizing this policy to receive vulnerability reports in its products, we hope to promote an open partnership with the security community to continue ensuring the security of all our customers.

The Coordinated Vulnerability Disclosure Policy provides guidelines for security researchers to responsibly discover and report potential vulnerabilities identified in Intelbras manufacturing products.

 

INITIAL SCOPE

Intelbras' Coordinated Vulnerability Disclosure process covers CPE's (Customer's Local Equipment) products:

- Cable modem;

- xDSL modem;

- UN, ONT;

- Router or modem intended for Fixed Wireless Access (FWA);

- Router or modem intended for fixed satellite broadband access; and

- Wireless router or access point.

Researchers who send us a vulnerability report that meets the criteria and is of interest to Intelbras will receive credit for the discovery of the vulnerability on our website once the submission has been accepted and validated by our product security team.

 

RULES, ACCEPTANCE CRITERIA, AND PRIORITIZATION

The vulnerability reported by the researcher will be subject to analysis by Intelbras, where criteria and prioritization of submissions will be defined, as follows:

· The report should be well written in Portuguese or English;

· The report should contain proofs of concept to facilitate validation and triage, as well as mention of the bug, impact, and any potential remediation;

· The reported vulnerability must be within the scope of the above-mentioned products, otherwise they will have a low priority in Intelbras' analysis;

· Reports with only error screens or automated tool output will have low priority;

· Plans and intentions for public disclosure should be mentioned;

· The vulnerability report cannot be made by an employee of the Intelbras Group, or by anyone who has worked in the company in the last 12 (twelve) months;

· The researcher must use with caution services that may impact users, as well as undertakes not to misuse any personal or sensitive data identified in the products;

 

WHAT YOU CAN EXPECT FROM US:

· A timely response to your email (within 5 business days);

· After screening, we will send you an expected correction period and will be transparent in cases where the product faces challenges to be corrected;

· Open dialogue to discuss issues related to vulnerability;

· Notification of when the vulnerability has been confirmed by our security team;

· Credits on the discovery of the vulnerability after its validation and remediation.

 

LEGAL STANCE

Intelbras has no intention of engaging in legal discussions against individuals who submit vulnerability reports through our CSIRT, as long as the reports comply with the requirements and criteria set forth in this policy, and encompass the items below:

· Engage in system or product testing without harming Intelbras and/or its customers;

· Participate in vulnerability testing within the scope of our Vulnerability Disclosure Policy.

· Receive permission and consent from the customer before engaging in vulnerability testing against their products, systems, etc.;

· Are in accordance with the laws of Brazil and the country where the researcher is conducting the research, your geolocation;

· Refrain from disclosing details of the vulnerability to the public before 90 calendar days have passed or a mutually agreed deadline has expired;

Participation in the Intelbras Coordinated Vulnerability Disclosure process does not grant any intellectual property rights or ownership rights over Intelbras' products or services to participating researchers or any other third party.

The intellectual property rights are the exclusive property of Intelbras or its partners, and because of this, they cannot be copied, reproduced, transmitted, displayed, sold, licensed or exploited for any other purpose.

 

HOW TO REPORT A VULNERABILITY

To report a vulnerability in one of Intelbras products, please fill out the vulnerability form on the Intelbras Information Security Incident Response and Handling Team website (CSIRT - https://www.intelbras.com/pt-br/ CSIRT-Intelbras).

By reporting a vulnerability, the researcher confirms that they understand and accept the policy and terms and conditions.