Introduction

Echelon is committed to providing secure products and addressing identified security vulnerabilities. Echelon welcomes vulnerability reports from researchers, industry groups, CERTs, partners and any other source.

This document describes Echelon’s policy for receiving reports related to potential security vulnerabilities in its products, and the company’s standard practice with regards to informing customers of verified vulnerabilities.

Reporting

If you believe you have identified a potential security vulnerability with one of our products, please contact Echelon by sending email to security-alert@echelon.com. Please include a description of the vulnerability, how it was discovered, and affected products. We encourage finders to use encrypted communication channels to protect the confidentiality of vulnerability reports. Our PGP public key is available at the following link:

Echelon PGP public key

The Company will usually acknowledge receipt within 5 working days. Echelon respects the interests of the reporting party, including anonymous reports if requested, and/or public acknowledgment.

Analysis

Echelon investigates and validates suspected vulnerabilities. If needed, Echelon may request additional information from the party that reported the vulnerability concern.

Handling

While investigating possible vulnerabilities, Echelon may work with the National Cybersecurity and Communications Center (NCICC) and other groups within that organization, including ICS-CERT, or other third parties. During this time, communication may be maintained with the reporting party, as we work to resolve the issue.

Disclosure

Typically it is Echelon’s intention to issue a security bulletin for validated vulnerabilities when a practical workaround or fix has been identified, though there may be instances when a bulletin is issued in the absence of a workaround. As each security vulnerability case is different, we may take alternative actions in connection with issuing security bulletins.

Echelon does not guarantee that security bulletins will be issued for any or all security issues customers may consider significant or that notices will be issued on any specific timetable. Echelon reserves the right to modify this policy at any time, in its sole discretion.

Security bulletins dealing with Echelon products may be distributed through postings on the Company’s website, via email to customers with current support contracts, and/or through the formal incident response community.