Direkt zum Inhalt

​​Public Vulnerability ​ 
Disclosure Policy

Purpose 

Zenitel is committed to delivering the best possible technology, solutions and services to our partners and end customers. We believe our customers deserve the best that technology can offer. For this reason, we commit to delivering products that are secure by design and trustworthy throughout their lifecycle. 

Product security is an inherent quality of Zenitel products and systems, including hardware, firmware, software, and services. By maintaining strong product security practices, Zenitel aims to protect customers and partners and to safeguard Zenitel’s reputation and trust in the markets we serve. 

This Vulnerability Disclosure Policy (VDP) describes how security researchers, customers, and other stakeholders can report potential security vulnerabilities to us safely and responsibly, and what they can expect in return. 

Scope 

This policy applies to security vulnerabilities in: 

  • Zenitel‑branded hardware products and devices. 
  • Zenitel‑developed software. 
  • Supporting infrastructure operated by Zenitel that directly affects the security of the above products. 

Unless explicitly stated otherwise, this policy does not cover: 

  • Third‑party services, components, or infrastructure outside Zenitel’s control. 
  • Customer‑deployed configurations that deviate from recommended secure configurations. 

Our Commitment 

When you report a potential vulnerability to Zenitel in accordance with this policy, we commit to: 

  1. Timely acknowledgement: Acknowledge receipt of your report within 2 business days. All timelines and business days in this policy refer to our regular business hours in [e.g., Central European Time (CET/CEST)]. 
  1. Good‑faith assessment: Evaluate the report to determine impact, affected products, and severity (including using CVSS v3.1 or CVSS v4.0 scoring). 
  1. Coordinated remediation: Work to remediate validated vulnerabilities and coordinate public disclosure in a way that minimizes user risk, consistent with CRA expectations for vulnerability handling throughout the support period. 
  1. Transparent communication: Keep you informed of progress at key milestones (e.g., triage completed, fix under development, fix released). 
  1. Attribution (if desired): Credit you in public advisories, hall of fame, or release notes, if you wish and where legally and contractually permissible. 
  2. Legal safe harbor: Not pursue legal action against you for good‑faith security research and reporting conducted under this policy. 

We will comply with all legally mandated cybersecurity notification requirements, including those set out in Regulation (EU) 2024/2847 (Cyber Resilience Act), while balancing the need to protect our users from unnecessary risk. 

How to Report a Vulnerability

If you believe you have found a security vulnerability that affects Zenitel products or services, please contact us via: 

  • security.txt (RFC 9116): 
    • A machine‑readable disclosure contact file is available at: https://www.zenitel.com/.well-known/security.txt 
    • This file includes our: 
      • Contact email 
      • Policy URL 
    • This file is the authoritative machine‑readable source of our vulnerability disclosure contact details. We keep this file up to date whenever contact details change. 

To help us triage your report quickly, please provide: 

  • Your contact details (name, email, optional organization). 
  • A clear, concise explanation of the suspected security issue and its potential impact. Affected product(s), version(s), and environment (e.g., firmware version, kernel version, cloud endpoint URL). 
  • Step‑by‑step reproduction instructions, including any required configuration or test data. 
  • Proof of concept (PoC), code, scripts, or payloads demonstrating the vulnerability 
  • Any relevant logs, screenshots, or network traces, redacted to remove unnecessary personal data. 
  • Estimated CVSS v3.1 or CVSS v4.0 base score and vector. 

Coordinated Disclosure & Publication 

We ask that you: 

  • Do not publicly disclose details of the vulnerability, share exploit code, or discuss it with third parties before: 
  • Maintain an archive of past advisories. 
  • We have confirmed the issue and prepared a fix or effective mitigation; and 
  • We have agreed on a coordinated disclosure date together; or 
  • A maximum of 90 days has passed since acknowledgement, unless shorter or longer periods are mutually agreed based on risk. 

We, in turn, will: 

  • Publish security advisories on our website (and other appropriate channels) describing: 
    • Affected products and versions. 
    • Severity and impact. 
    • Mitigation and remediation steps. 
    • CVE IDs, where applicable. 
  • Notify relevant customers and partners through appropriate channels. 
  • Maintain an archive of past advisories. 

OutofScope and Prohibited Activities 

To protect our users and services, do not: 

  • Perform actions that degrade service availability, such as: 
    • Denial‑of‑Service (DoS) or Distributed DoS attacks. 
    • Large‑scale automated scanning of production systems beyond normal, low‑rate probing. 
  • Exploit a vulnerability beyond the minimum necessary to demonstrate its existence. 
  • Access, modify, or delete any data that is not your own. 
  • Social engineer, phish, or otherwise target Zenitel employees, contractors, or customers. 
  • Physically damage devices or attempt invasive hardware attacks (e.g., chip decapping) unless explicitly authorized in writing for a specific research program. 

We generally consider the following out of scope for this policy: 

  • Missing security best practices without a clear, demonstrable security impact. 
  • Vulnerabilities in third‑party products not integrated or distributed by Zenitel. 
  • Issues in systems or domains clearly not owned or operated by Zenitel. 

Data Protection & Privacy 

We treat all vulnerability reports as confidential and handle submitted information in accordance with applicable data protection laws. 

We will use personal data provided in your report solely for: 

  • Communicating with you about the report. 
  • Processing and documenting the vulnerability. 
  • Meeting our legal obligations (e.g., incident reporting, where applicable). 

We will retain report-related data only as long as necessary for these purposes or as required by law.