Vulnerability Disclosure Policy

1. INTRODUCTION

Soracom, Inc., SORACOM CORPORATION, LTD. and Soracom Global, Inc.(collectively, “SORACOM”), the leading group of companies of IoT network cellular connectivity and IoT platform services, is committed to ensuring the safety and security of our customers. Toward this end, SORACOM is now formalizing our policy for accepting vulnerability reports in our products and services. We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers.

We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

2. Initial Scope

SORACOM’s Vulnerability Disclosure Program initially covers the following products:

  • SORACOM User Console (https://console.soracom.io)
  • SORACOM API

 
While SORACOM develops a number of other products and services, we ask that all security researchers submit vulnerability reports only for the stated product list. We intend to increase our scope as we build capacity and experience with this process.
Researchers who submit a vulnerability report to us will be given full credit on our website once the submission has been accepted and validated by our product security team.

3. Legal Posture

SORACOM will not engage in legal action against individuals who follow this Vulnerability Disclosure Program and submit vulnerability reports through our Vulnerability Reporting email address. Please note that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not SORACOM). We openly accept reports for the currently listed SORACOM products and services. We agree not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming SORACOM or its customers;
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing against websites;
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.;
  • Adhere to the laws of their location and the location of SORACOM. ; and
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

 

4. Eligibility and Disclosure

All the following criteria must be met in order to participate in the Vulnerability Disclosure Program.

  • If considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
  • You are not a resident of a country embargoed by Japanese, U.S. or U.K. Government.
  • You are not on a list of sanctioned individuals by Japanese, U.S. or U.K. Government.
  • You are not currently nor have been an employee of SORACOM within 6 months prior to submitting a report.
  • You are not currently nor have been under contract to SORACOM within 6 months prior to submitting a report.
  • You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
  • There may be additional restrictions on your eligibility to participate in the vulnerability disclosure depending upon your local laws.

 

5. Sensitive and Personal Information

Never attempt to access anyone else’s data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
  • Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
  • Alert SORACOM immediately and support our investigation and mitigation efforts.

 

6. How to Submit a Vulnerability

To submit a vulnerability report to SORACOM’s Product Security Team, please utilize the following email address <security <atmark> socacom.io>. You may encrypt your emails to us using our PGP key. Our corporate PGP key is listed at the bottom of this page.
Note: By submitting your report, you agree to the terms of this Vulnerability Disclosure Policy.

7. Intellectual Property

By submitting your content to SORACOM (your “Submission”), you agree that SORACOM may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant SORACOM any and all rights to your Submission needed to do so.

8. Preference, Prioritization, and Acceptance Criteria

We will use the following criteria to prioritize and triage submissions.

What we would like to see from you:

  • Well-written reports in English/Japanese will have a higher chance of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

 

What you can expect from us:

  • A timely response to your email (with 7 business days).
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit after the vulnerability has been validated and fixed. We don’t provide any monetary reward.

If we are unable to resolve communication issues or other problems SORACOM may bring in a neutral third party to assist in determining how best to handle the vulnerability.

9. History

V1.0 (2020-06-22):           Publication

If you have any questions, concerns, or complaints regarding the way we collect and handle your information, please visit https://www.soracom.io/contact.

PGP Key

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBF7hlQQBEACikHgRUX2qeiHmZrN8sKCePXBy9uSdYV12noQNFP9jNJw53dFE
wfs2KjKcFr++v+4Xrh/6QpAcOZUEqdZ2dUhSa9nbsLUQSqqZo91MIqZjs03QYbBc
Yg2XPmu5/SP8A+If8RlrO2j1c65/xNubXacaGaqB/bGR+KQdlObKJNx10ls4GJUF
ROfEKJYm28ONh6DRQkdBFzq6ToOH6AQ/PjM0Ug+9wBcxP798OK1UHCnDlWFYSWjE
TI+9Mypdb+Lr4/estzmd42OhhUtCBMg8ZM6PVg6eVQcek4xLVR2XKwOCfjXu4RI8
4ZG+KbWynTS0EiLAYw4Zbu7LzZ8qIvnPG0Sze3LJBIMXmX5/sBE2rPfXBaoTl3iu
ip3LVnR5SRa8xbDxWx2O9e4pNIR+EvCkBuL47AI98WFUvCvLSpDN7+lpjWE56iU+
ScFOjDshXV07oMhjtVhc0qTWHzWvraLjGR60dIbCuW81BrLC9129ltdVl19X0PpQ
OUoPbgpgWRTzBfGXbeeYgKPbHVnR/EMjcSAaWr80G1usTJpXlgBTY2sxciIauRNj
EXzZeAM4G7hhclnTdm2WUhfol4FdIlnTayVWROwTxgNnLtlqwKjhW6UwdHDqlD4/
pKqkBmlQFO1d0Fr8t9LxsAkxfvmsrZykGgSpzQf9N2yJAuiAIMckapDUFQARAQAB
tC9TT1JBQ09NIENPUlBPUkFUSU9OLCBMVEQuIDxzZWN1cml0eUBzb3JhY29tLmlv
PokCVAQTAQgAPhYhBIqoXy62FkiIGQUfu2AM2pWHH/ldBQJe4ZUEAhsDBQkDwmcA
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEGAM2pWHH/ldLrIQAKHy0hCy0CZc
MW0qdTl2txM6Vxp/oNgtgRbTOYQW+/DHJ05DYqiALJnbJ03IVCjt30TaGZxOT4Pz
lOISBXgKzfAZMP2ZfvzZbtK/ScE+k1Em22r/iqSbStv5zK0iTicY9OrRQRK1D531
AkhGnGt9fruHDn/80S55npjyvekcutt7NQWsoSlbWUuUtMoG2GZPatwohok0JQKg
o4nvAB0wbp4KEpQQzxVEA3wJRIeSLYZrG03bcrZuHROe/77NODN8JQdlBt+xI5FE
acVPcsWnn8J/gCBwTYtVjFWL9mk6qi43sgNvv0ceRmE4V7AvNrEbFqduuo6Ngqnq
hdJvw2rk9TZVtA1FCrcd6la7vUcwT9w2rkAxooYgYsuZXA9C1xXeHivd5yR6rmMP
moZHBeBD6UdFF+hrTRicqt1Be9n+sMHXRELvE+DXtI1Sglb2QBqz0OCThud+5qDa
sYzfNz7/DTR39gda74N3AdvkBq2UPmPICT8mdMa6sThrXVlUKnx7QYo9PICbTJqT
Tzcvmuok7eexP9OPy7PAJRbyeP+YXtBDdvYEpmhRCsQzqQ4/JWsiLRCPqjCvSkIe
hKWm/hTTBtrlRyrZmLk84+mNhD+mi8fMph/U/hnx333HtvgnSe9FO+RIudxDuWsm
0mTGk6RHVSHMxY1yrVr/t7og8YHGluMZuQINBF7hlQQBEADD8uRPmuSo5oesdqse
YL65fMQDHurDhfB+PbJ5XZNpmbLRrhzIFbBAdxBhVo8Bu6MUD7k6qDK8rAYVyO7F
Hkw0QPnzQcEqhiaG2/ot4yMvrzIRyjZrA874+jNC5iPU/fuUiOpG0kFeUkJ0SjMI
7Xa27EBPEt/MWj1ug9is1BTgW4xAhCJ3vhVEQabSYTn9QiFHt46JeHo6TjYYAPpY
VKz3Ww5XLQrWo2HMpfhSAUFInCre6jWf8iytEixRUQQ372MYmTqmm1312iiQ4Tz8
59xQNS/qiFeXn8SQjcEmuGB+SqmJqyxE1BwN9kef/+yi5fdAic8quhRrg1zPwgP9
EuiNz//IpDoJyjOKramH2vE2G2isvzO2K/KmbVCf9w8C+lAkNHkKMlnrrzr/Sqy0
iXVcPuM35O3f3mWxYcTdF0BWggm3awCDEF6XM5kv6MtTn4UBNMw+olrsaG+JHGMP
pn4UcK2HMrPE4ogG//MNoWRvOBZRmaP3GH4lne6d8THc2DRk86GbIGFr6s84iGiW
t09Zu0CkpaMhRm+uido1B37Ux5snrAOf3KyQO6RuHuj75FMnfpA+pxjoa7i//qu6
S8SLwXkpH4U3kTCCvKzUB7HZs8kg4zU6/lH0UThDOsrFtLOc2iAc+q5uXhieu6yb
pKk9OeItY5kwNMRazW94rKj2pwARAQABiQI8BBgBCAAmFiEEiqhfLrYWSIgZBR+7
YAzalYcf+V0FAl7hlQQCGwwFCQPCZwAACgkQYAzalYcf+V24lQ//Uox64YGcqfD2
1Niz6mQ4/mk7V9PkjZ0ypXQHGHZqsncLELUR+6k8ThNNTV/ar54kNJWULoL9StJO
cys+Pq+BzxP0QhLYXU7EVrmAPnGV4+yW93ejK5flDsz+CKFaLaVICvSXr/adZcV0
HBUZMLsU1M6hA1lhFgqCvvuraS8t21gnxjCyKYcqqUM3RfztLKCeAMEU9s2NyFSu
s1+OFuETXh65r6BNBR7DhFbEcBYLqvLrVo3ECct3HawAT+SvR5U5VLFQox1AmG27
5vqw+VvU5uUJyQCNOKm8IQ3HtPO86mYcu9khCmkQeymLED3+/xm6z6ugMhsDEwD4
fKM16ff6OOsUQACw/GVi/YwDX7BT1GmckDhb7ZxnU76Z/FmNC5HXPdcKnMuM3XTb
1N1ModjKLAF9WPniC3aKGEElLgBd+bQ8tJpVjB5DhEE6ijUo8P80+XcoeQbiREpn
EErJpvshVVcRVARfgM9irBPNHDA/vElKv7tFrjMskuB/ZB2PcFnrBtoAt1TaxBsK
Oi03GkGzqyDgdC2q/JHTkPuLWspgWo1EHZguEi1B1Kc9mJ5MRizgxdTF9VKa5TaI
+is1h80o+hsnSW3JvmRoGxocuDupSmROvh6uuDdkPBWMhvmF1fzBT1rKyCibvJRS
lY09rE4iykBaiUrdrOGlwoFnxt1ZXFw=
=OmWj
—–END PGP PUBLIC KEY BLOCK—–