Deployment Model
TXOne’s solutions are designed to deploy on levels 1 (basic control), 2 (supervisory control) and 3 (site manufacturing operations and control) of the Purdue model.
Vulnerability Disclosure Policy
TXOne Networks – April 10, 2024
Introduction
TXOne Networks is committed to eliminating the security weaknesses prevalent in industrial environments. Our Product Security Incident Response Team (PSIRT) is fully committed to product security that follows the highest standard. We encourage security researchers to report any security issues or security incidents by emailing ✉ security@txone.com.
For added security, please encrypt sensitive information with our PGP Public Key (fingerprint: FECB D146 2C36 3B04 6B2D F4E5 7314 6C66 B4E5 26C6)
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and TXOne Networks will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.
Guidelines
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue. We are committed to working with you to understand and resolve the issue quickly. You will receive an initial confirmation of your report within 72 hours of submission.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us with 45 days to resolve the issue before you disclose it publicly. Extenuating circumstances, such as threats of an especially serious (or trivial) nature, or situations requiring complex changes to architecture may result in earlier or later disclosure.
- Submit a report with as much detail as possible.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and refrain from disclosing this data to anyone else.
Test methods and scope
The following test methods and scope are not authorized:
- Network distributed denial-of-service (DDoS) test.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
- Any services hosted by 3rd party providers and services.
Check our products to determine what is supported. If you aren’t sure whether a product or system is in scope or not, contact us at ✉ security@txone.com before starting your research.
Reporting a vulnerability
We accept vulnerability reports at ✉ security@txone.com. Reports may be submitted anonymously. We will acknowledge receipt of your report within 72 hours.
To help us triage and prioritize submissions, we recommend that your reports fit the following criteria:
- Submitter name (unless anonymous)
- Product name
- Product version
- Description of security issue
- Reproduction of steps (screenshots are helpful)
- POC documents or scripts
Please inform us if any of the material provided is not your original work or is subject to the intellectual property rights of others. Not notifying us means that you assert no involvement of third-party intellectual property rights.
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 72 hours, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
- TXOne Networks does not participate in a bug bounty awards program at this time. However, when a vulnerability is confirmed and then remediated, we will publicly disclose it within the release notes of the update. Additional public announcements may be made through various channels such as social media, our blog, and media outlets. These announcements will acknowledge the person/people who reported the vulnerability, unless anonymity is requested by the submitter(s).
Questions
Questions regarding this policy or coordinated vulnerability disclosure in general may be sent to ✉ security@txone.com.
