Vulnerability Disclosure Program

Rolling Wireless will work in good faith with security researchers who discover, test, and report potential security vulnerabilities in accordance with these guidelines.

We require that all researchers:

• make every effort to avoid disruption to production systems, destruction of data, and privacy violations during testing
  
• perform research only within the scope set out below 
  
• use the communication channels indicated below to report vulnerability information
  
• keep information about any vulnerabilities you’ve discovered confidential between yourself and Rolling Wireless until we’ve had 90 days to resolve the issue.
  

This policy is intended to be compatible with common vulnerability disclosure best practices. It does not give permission to act in any manner that is inconsistent with the law.

The scope of this program is limited to vulnerabilities in Rolling Wireless hardware, software or services which threaten the confidentiality, integrity or availability of our systems, services, data, or those of our customers.

To be acknowledged, vulnerabilities must be original and previously unreported, and otherwise comply with this policy. 

In the interest of the safety of our staff and our customers, the following test types are out of scope:

• social engineering or phishing of Rolling Wireless’ workforce
• any attacks against Rolling Wireless’ physical locations
• any attacks against users of Rolling Wireless products or services.

Regarding vulnerabilities in third-party products, services, or code, we will guide researchers to report those to the appropriate parties. 

If you believe that you have found a security vulnerability in one of our products, please notify us by submitting a ticket via the Rolling Wireless Customer Portal.

This form should only be used to report security vulnerabilities. To contact us about any other topic, please use rollingwireless.com/contact.

The following information will help us evaluate your submission as quickly as possible. If available, please include in your report:

• Affected product and version
• Vulnerability type (buffer overflow, integer overflow, …)
• Issue impact (arbitrary code execution, information disclosure, …)
• Instructions to reproduce the issue
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful).

Rolling Wireless reserves the right to accept or reject any reports on any vulnerabilities, and to act upon them in accordance with our internal rules and procedures.

Rolling Wireless aims to: 

• Acknowledge reception of your vulnerability report within 2 working days
  
• Make an initial appraisal of the report and provide a response within 10 working days.
  

Depending on the nature of the vulnerability, the time needed for remediation will vary. Rolling Wireless’ default remediation period is 90 days. This will be discussed with you to manage expectations.

We aim to keep you updated throughout the process.

We accept vulnerability reports for the scope listed above and we agree not to pursue legal action against security researchers who, in good faith:

• comply with this policy during their research
• ensure that their testing does not harm users or data
• refrain from disclosing any discovered vulnerabilities to the public before a mutually agreed-upon timeframe expires.

Rolling Wireless does not provide financial compensation (bug bounties) or maintain a public Vulnerability Disclosure Hall of Fame. We also do not publish information about vulnerabilities or reports we have received within the scope of this program. 

However, when the reported vulnerability is resolved, we may offer support and share information if you want to publish your own technical write-up. Subject to prior mutual agreement, we may also help promote your publication.