Vulnerability Disclosure Policy

 

Introduction: What is a Vulnerability Disclosure Policy?

Vantiva follows ISO/IEC 29147:2018 and any relevant regulations that provide guidelines for disclosing potential vulnerabilities. A vulnerability is any weakness, flaw, or security gap in information and communications technology (ICT) products or services that could be exploited by cyber threats. It also aligns with the EU NIS2 Directive (Directive (EU) 2022/2555) and the EU Cyber Resilience Act, which mandate coordinated vulnerability disclosure and secure lifecycle management of ICT products.

A Vulnerability Disclosure Policy (VDP) provides security researchers and ethical hackers with clear guidelines for identifying and reporting potential security vulnerabilities. It ensures a structured communication process for those who wish to report vulnerabilities in our products and services.

A well-designed VDP serves as the foundation for a comprehensive vulnerability disclosure program. This program outlines how Vantiva handles reports both legally and technically, how we engage with security researchers, how our teams assess, address, and disclose vulnerabilities, and how findings and outcomes are shared with stakeholders and decision-makers.

 

Promise

Vantiva develops technologies and devices that enable seamless content experiences in homes worldwide. We are committed to ensuring the security and privacy of our customers.

As part of this commitment, we have established this policy to accept and process vulnerability reports. We value collaboration with the security community and recognize its essential role in helping us maintain a secure environment for all our customers.

This policy reflects our corporate values and our legal responsibility to engage with good-faith security researchers who share their expertise with us.

 

Scope

Vantiva’s Vulnerability Disclosure Program applies to:

  • All hardware and software products manufactured and distributed by Vantiva
  • All software solutions created and distributed by Vantiva  Services hosted by Vantiva (e.g., websites, APIs, and online platforms)
  • Third-party services integrated into Vantiva products

 

Test Methods

The following test methods and actions strictly are prohibited:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
  • Deliberately introducing vulnerabilities, such as creating a backdoor in an information system to later exploit it as proof of the vulnerability.
  • Repeatedly gain access to the system or share access with others

 

Legal Posture/Safe Harbor/Confidentiality

Vantiva will not engage in legal action against individuals who submit good faith and accurate vulnerability reports to us. We openly accept reports for Vantiva products and services. We agree not to pursue legal action against individuals who:

  • Engage in vulnerability testing of system/research without disrupting or harming Vantiva, partners, or users of its products and services
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframes expires
  • Protect researchers’ personal information submitted via the vulnerability report.

 

How to Report a Vulnerability

To report a vulnerability to Vantiva’s security team, please complete the form at https://www.vantiva.com/contact and select the Security dropdown option.

Information regarding our security (PGP/GPG key location, email address…) may be found at: https://www.vantiva.com/.well-known/security.txt

 

Preference, Prioritization, and Acceptance Criteria

We will assess and prioritize submissions based on the following criteria.

What we expect from vulnerability reporters:

Well-written reports in English or French, as these will have a higher chance of resolution.

  • Reports that include proof-of-concept details, including a description of the equipment set-up and a list of standard or specialized tools will equip us to better triage.
  • Reports that include the product name and firmware version will speed up our response.
  • Reports that contain the Internet Service Provider being used may help our triage.
  • Reports should describe how the vulnerability was identified, the impact, and any potential mitigation or remediation guidance.
  • Provide details of past or planned communication to regulatory organizations / other third parties about any discovered vulnerabilities, including timelines.
  • Provide review rights of publications before disclosure.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data unless written permission / consent is obtained from the owner of the Vantiva product, where applicable, prior to initiating research or testing activities against their devices, software, infrastructure, etc.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Do not submit a high volume of low-quality reports
  • Reports that include only crash dumps or output from automated tools may receive lower priority.
  • Do not include and also assert you are not providing Personal Data (PII), sensitive or confidential data with a vulnerability report unless in accordance with privacy or data protection laws (minimization or secured disposal of unnecessary personal data, Secure storage of any vulnerability data…).

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Additionally, where applicable:

  • Ensure submissions do not contain sensitive information, such as Patient Health Information (PHI) or Personally Identifiable Information (PII)
  • Do not perform research or testing on Vantiva products, services, or infrastructure that may lead or contribute to harm of people or property
  • Avoid researching or testing products in clinical settings or other active environments where the products may be used for patient diagnosis, treatment, care, or monitoring

 

Expectations After Submission

What a vulnerability reporter can expect from Vantiva:

  • A timely response to the initial submission (within 5 business days or earlier if mandatory).
  • After triage, we will provide an estimated timeline and commit to being transparent about the remediation timeline as well as on issues or challenges.
  • An open dialog to discuss issues.
  • Timely notification of our vulnerability analysis process and progress.
  • Credit in our customer facing notification documentation, if desired.

What not to expect from us:

  • Vantiva does not offer any bug bounty program and will not pay for vulnerability reports.

If we are unable to resolve communication issues or other problems, Vantiva may bring in a neutral third party (such as CERT/CC VINCE, or the relevant regulator) to assist in determining how best to handle the vulnerability.

 

Coordination with National CSIRTs

In cases where vulnerability disclosure cannot be resolved directly between Vantiva and the reporting party, Vantiva may coordinate with national Computer Security Incident Response Teams (CSIRTs) or ENISA to ensure responsible handling and resolution of the issue. This includes escalation to CERT/CC VINCE or relevant regulatory bodies when necessary.

 

Data Retention and Disposal

Vantiva adheres to the principles of data minimization and secure disposal as outlined in the EU General Data Protection Regulation (GDPR). Any personal data (PII) or sensitive information submitted as part of a vulnerability report will be securely stored only for the duration necessary to address the issue and will be disposed of in a manner that ensures confidentiality and data protection. For any question related to your rights under GDPR, please contact privacy@vantiva.com

 

This policy may be updated periodically.