Vulnerability Disclosure

RPS (Riello UPS) Responsible Disclosure Statement

Since security is of critical importance to us and to our customers, we at RPS (Riello UPS) are committed to ensuring the safety and security of our products and services. RPS (Riello UPS) supports coordinated vulnerability disclosure and encourages responsible vulnerability testing - we take any reports of potential security vulnerabilities seriously.

 

Please follow these steps to report a potential security vulnerability:

Reporting Procedure:

  • Please use our PGP public key to encrypt any email submissions to us at security-incident@riello-ups.com. (You will find our PGP public key if you click the icon under Documents at the bottom of this page).
  • Provide sufficient basic information, such as:
  1. Your contact information
  2. Name of the person who found the vulnerability
  3. Date when the vulnerability was detected and details about how it was discovered

 

  • Include a technical description of the concern or vulnerability. Provide as much information as you can on the product or service, for example, the version number and configuration files. If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such and is encrypted with our PGP key.
  • If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information

 

Security Vulnerability Report Assessment & Action:

  • RPS (Riello UPS) will:
  1. Acknowledge receiving your report within 7 business days.
  2. Provide you with a unique tracking number for your report.
  3. Assign a contact person to each submitted case.
  4. Notify the interested internal technical teams.
  • RPS (Riello UPS) will keep you informed on the status of your report.
  • If the vulnerability is actually in a third-party component or service which is part of our product/service, we will refer the report to that third party and advise you of that notification. To that end, please inform us in your email whether it is permissible in such cases to provide your contact information to the third party.
  • Upon receiving a vulnerability report, RPS (Riello UPS) will:
  1. Verify the reported vulnerability.
  2. Work on a resolution.
  3. Perform QA/validation testing on the resolution.
  4. Release the resolution.
  5. Share lessons learned with development teams.
  • RPS (Riello UPS) will use existing customer notification processes to manage the release of security fixes, which may include without limitation and at RPS (Riello UPS)’s sole discretion, direct customer notification or public release of an advisory notification on our website.

 

Important Information:

  • Refrain from including sensitive personal information in any screenshots or other attachments you provide to us. 
  • Do not perform any vulnerability testing on applications, products, or services that are actively in use. Vulnerability testing should only be performed on devices or applications, products, and services not currently in use or not intended for use.
  • Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data. Try to not to delete or use data belonging to other users.
  • As part of responsible coordination of vulnerability disclosure, we encourage you to work with RPS (Riello UPS) on selecting public release dates for information on discovered vulnerabilities. 
  • In any effort to find vulnerabilities, actions must not be disproportionate, such as, including without limitation:
  1. Using social engineering to gain access or information.
  2. Installing or building backdoors in an information application, product, or service with the intention of then using it to demonstrate the vulnerability.
  3. Utilizing a vulnerability further than what is necessary to establish its existence.
  4. Making changes to the application, product, or service.
  5. Repeatedly gaining access to the application, product, or service or sharing access with others.
  6. Using brute force attacks to gain access to the application, product, or service. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.
  • RPS (Riello UPS) will provide full credit to researchers who make a vulnerability report or perform testing, in any publicly released patch or security fix release information, if requested.

 

Notice:
If you share any information with RPS (Riello UPS) in the context of responsible disclosure, you are agreeing that the information you submit will be considered as non-proprietary and non-confidential. RPS (Riello UPS) is allowed to use this shared information, or part of it, without any restriction. You agree that submitting information does not create any rights for you or any obligation for RPS (Riello UPS).

 

Last update: 24 May 2024

Documents

Select File Language:

PGP public key

Download