Soracom, Inc., SORACOM CORPORATION, LTD. and Soracom Global, Inc.(collectively, “SORACOM”), the leading group of companies of IoT network cellular connectivity and IoT platform services, is committed to ensuring the safety and security of our customers. Toward this end, SORACOM is now formalizing our policy for accepting vulnerability reports in our products and services. We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers.
We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.
2. Initial Scope
SORACOM’s Vulnerability Disclosure Program initially covers the following products:
- SORACOM User Console (https://console.soracom.io)
- SORACOM API
While SORACOM develops a number of other products and services, we ask that all security researchers submit vulnerability reports only for the stated product list. We intend to increase our scope as we build capacity and experience with this process.
Researchers who submit a vulnerability report to us will be given full credit on our website once the submission has been accepted and validated by our product security team.
3. Legal Posture
SORACOM will not engage in legal action against individuals who follow this Vulnerability Disclosure Program and submit vulnerability reports through our Vulnerability Reporting email address. Please note that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not SORACOM). We openly accept reports for the currently listed SORACOM products and services. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming SORACOM or its customers;
- Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing against websites;
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.;
- Adhere to the laws of their location and the location of SORACOM. ; and
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
4. Eligibility and Disclosure
All the following criteria must be met in order to participate in the Vulnerability Disclosure Program.
- If considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
- You are not a resident of a country embargoed by Japanese, U.S. or U.K. Government.
- You are not on a list of sanctioned individuals by Japanese, U.S. or U.K. Government.
- You are not currently nor have been an employee of SORACOM within 6 months prior to submitting a report.
- You are not currently nor have been under contract to SORACOM within 6 months prior to submitting a report.
- You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
- There may be additional restrictions on your eligibility to participate in the vulnerability disclosure depending upon your local laws.
5. Sensitive and Personal Information
Never attempt to access anyone else’s data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:
- Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
- Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
- Alert SORACOM immediately and support our investigation and mitigation efforts.
6. How to Submit a Vulnerability
To submit a vulnerability report to SORACOM’s Product Security Team, please utilize the following email address <security <atmark> socacom.io>. You may encrypt your emails to us using our PGP key. Our corporate PGP key is listed at the bottom of this page.
Note: By submitting your report, you agree to the terms of this Vulnerability Disclosure Policy.
7. Intellectual Property
By submitting your content to SORACOM (your “Submission”), you agree that SORACOM may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant SORACOM any and all rights to your Submission needed to do so.
8. Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Well-written reports in English/Japanese will have a higher chance of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Reports that include products not on the initial scope list may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What you can expect from us:
- A timely response to your email (with 7 business days).
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- Credit after the vulnerability has been validated and fixed. We don’t provide any monetary reward.
If we are unable to resolve communication issues or other problems SORACOM may bring in a neutral third party to assist in determining how best to handle the vulnerability.
V1.0 (2020-06-22): Publication
If you have any questions, concerns, or complaints regarding the way we collect and handle your information, please visit https://www.soracom.io/contact.
—–BEGIN PGP PUBLIC KEY BLOCK—–
—–END PGP PUBLIC KEY BLOCK—–