Country selector
chevron arrow
Corporate
Country Selector: Corporate

Product Security

Ensuring the security of its products and services is paramount to Ascom. Ascom is committed to fixing all reported security vulnerabilities quickly and carefully protecting the security and privacy of our stakeholders.

Ascom’s Vulnerability Disclosure Policy applies to all vulnerabilities found in any Ascom products released to the public. Ascom encourages you to report on potential vulnerabilities through the following secure communication channel.
To report security or privacy issues that affect Ascom products, please contact us: productsecurity@ascom.com

Note: The productsecurity@ascom.com email is intended for the sole purpose of reporting a security vulnerability. If you need technical assistance, please contact our support help desk: info@ascom.com


Content of the report
Please strive to include the following attributes in your report:

  1. Product or service name, URL, or affected version information.
  2. Operating system of the components involved.
  3. Version of information.
  4. Technical description of what actions were being performed and the result in as much detail as possible.
  5. Sample code that was used to test or demonstrate vulnerability.
  6. Reporter’s contact information.
  7. Other parties involved.
  8. Disclosure plans.
  9. Threat/risk assessment details of the identified threats and/or risks, including a risk level (high, medium, low) for the assessment result.
  10. Software configuration of the computer or device configuration at time of discovering the vulnerability.
  11. Relevant information about connected components and devices if a vulnerability arises during interaction. When a secondary component or device triggers vulnerability, these details should be provided.
  12. Time and date of discovery.
  13. Browser information, including type and version information

Ineligible reports
All content other than specific security vulnerabilities in our products or services will be dropped.
Example of ineligible reports:

  • Login issues and password problems
  • Spelling mistakes
  • HTTP 404 pages
  • Spam or suspected fraud activities 

Example of non-permitted acts:

  • DDoS attacks
  • Brute-Force attacks
  • Social engineering
  • Malware installation
  • Making any changes to our system
  • Sharing access with other users
Vulnerability handling

Once we receive your vulnerability report, we will take every necessary step to investigate and resolve the security issue at hand swiftly and transparently.
We will acknowledge that your report has been received within 7 days.
We will endeavor to keep the reporter informed about the progress of the vulnerability handling process. Since each issue requires investigation, resolution, localization, and testing appropriate to its complexity, we cannot provide patches according to a fixed timeline.
We request that you keep all communications regarding vulnerability confidential, to ensure mutual trust and the flexibility to work with us towards the release of a patch, while guaranteeing an adequate timeframe for our customers to deploy said patch.
We will publicly announce the vulnerability in our release note of the update on the Ascom Portal and on any other public platforms as we see fit. We are open to mentioning the person/people who reported the vulnerability unless they wish to remain anonymous.

 

Authorization
If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and Ascom will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.