Reporting Security Issues to Dragos
Report Vulnerabilities in the Dragos Platform, Hardware, Services, and Threat Intelligence solutions
Dragos is on a mission to safeguard civilization. To that end, we are committed to maintaining the security and availability of the Dragos Platform, Hardware, Services, and Threat Intelligence solutions. To protect our customers, we welcome the private and responsible submission of vulnerability disclosures so that we may reduce risk to our customers, minimize potential expense and damages caused by a successful cyberattack, and further improve our security posture.
This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities in our systems.
At Dragos, we embrace good faith security research that is helpful to the community. To protect our customers, employees, and business, we request security researchers maintain compliance with applicable laws and this policy. Dragos is not obligated to consider research that violates this policy and will consider a submission noncompliant if the vulnerability is publicly disclosed without express written consent from Dragos.
When you share information with us under this policy, you can expect the following from Dragos:
- Acknowledgment that your report has been received as well as a timely initial response to the submission.
- Our commitment to coordinating with you openly and working with you to understand and validate your report.
- If possible, we will confirm the existence of the vulnerability and describe the remediation process, including challenges that may delay resolution.
- Throughout the process, we will maintain a dialogue to discuss issues.
Reporting Policy Rules
To encourage legitimate vulnerability research and avoid malicious attacks, we ask that security researchers:
- Do not perform research on Dragos products licensed, owned, or operated by a Dragos customer without their express permission (for example, if you are an employee of a Dragos customer, you may not use your employer’s Dragos product for security research without authorization from management at your employer, such as the CISO);
- Do not perform attacks against Dragos employees, customers, partners, or representatives;
- Do not perform physical security attacks against any person or entity;
- Do not perform denial of service (DoS or DDoS) attacks;
- Follow these rules and the terms of any other relevant agreements;
- Notify us as soon as possible after you discover a real or potential security issue;
- Treat all vulnerability information and discussions with us as confidential, and do not disclose any such information or communications to any third party or to the public in general without the prior written authorization of Dragos;
- Avoid privacy violations, degradation of user experience, disruption to Dragos solutions; operations; or any production systems, and destruction or manipulation of data;
- Only use exploits to the extent necessary to confirm a vulnerability’s presence;
- Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems;
- Do not engage in extortion;
- Do not run automated scanning tools against Dragos products outside of your own network;
- Do not apply social engineering techniques (phishing, etc.);
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope; and
- Do not submit a high volume of low-quality reports.
Security researchers must provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information (PII), financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Any submissions from security researchers should be sent to firstname.lastname@example.org. No other channels should be used to discuss Dragos vulnerabilities or exploits.
Please include with your submission:
- A detailed description of the vulnerability or exploit, including the location it was discovered and the potential impact of the finding.
- Step-by step actions that were taken and can be taken to validate the finding (screenshots are helpful).
- Information about your system’s configuration (browser, OS, product version, IP address associated with your activities).
- Any working Proof of Concept, if one was established.
Low-quality reports, such as those that include inadequate information to investigate, may result in delayed responses.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Dragos, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
Remediation & Disclosure
Reports may be submitted anonymously.
Security researchers must ensure that Dragos can diagnose and apply corrective measures before any party discloses vulnerabilities or exploits to the public.
Dragos follows a 90-day disclosure policy.
We consider research conducted under this policy to be:
- Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our license agreements that conflict with conducting security research, which would be waived on a limited basis, conditioned upon strict compliance with this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report to email@example.com before going any further.
Please submit your disclosure to firstname.lastname@example.org.
Please submit only one finding per submission.
Questions regarding this policy may be sent to email@example.com.
We also invite you to contact us with suggestions for improving this policy.