This policy relates to the investigation and disclosure of security vulnerabilities that potentially affect products and services provided by Distech Controls.
Distech Controls, Inc. is a subsidiary of Acuity Brands Lighting, Inc and benefits from the cybersecurity policy established by the group.
The Distech Controls Product Security Incident Response Team (PSIRT) is responsible for coordinating stakeholder interests regarding security concerns that potentially affect Distech Controls products and services. In this pursuit, the PSIRT manages the receipt, investigation, and notification procedure regarding security vulnerabilities and other issues affecting our cloud-based infrastructure. The Distech Controls PSIRT works with customers, consultants, security researchers, academic institutions, and other vendors to handle potential security issues discovered within Distech Controls products and services.
Individuals or organizations that are aware of a product security issue are strongly encouraged to contact the PSIRT. Timely identification of security vulnerabilities is critical to eliminating potential threats. Distech Controls welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security and is committed to responsible disclosure.
If you believe you have identified a potential security vulnerability, you may contact the Distech Controls PSIRT through our email alias, psirt@acuitybrands.com. The PSIRT will identify the appropriate product teams in order to address the issue.
Distech Controls encourages the encryption of sensitive information that is sent to the PSIRT. The PSIRT supports encrypted messages via PGP/GNU Privacy Guard. The PSIRT public PGP key psirt@acuitybrands.com (94694357) is available on multiple public key servers.
When reporting potential security issues, please include as much of the below information as possible to help the PSIRT understand the nature and scope of the potential vulnerability:
The Distech Controls PSIRT process was developed using the ISO 30111 standard and documentation from the Forum of Incident Response and Security Teams (FIRST) as guides. The following figure provides a high-level view of our response process.
The following are the steps in the process illustrated in Figure 1. After each step is completed, the Distech Controls PSIRT determines the appropriate actions; therefore, some of these steps might not be performed for some issues.
Once an issue is reported to the Distech Controls PSIRT, it is evaluated based on the potential impact of the vulnerability. The PSIRT will work with the reporter and product development teams in order to determine the severity and scope of the reported issue.
In general, the PSIRT uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to determine the severity level of identified vulnerabilities. If there is a security issue with a third-party software component used in an Distech Controls product, the CVSS may be adjusted to reflect the impact to our products. CVSS is maintained by FIRST and more information may be obtained from the FIRST.org website.
After the severity and scope of the issue have been determined, the PSIRT works with appropriate internal and external resources, as needed, in order to determine the availability of fixes and a communication plan. During the investigation, Distech Controls treats all non-public information as highly confidential. We maintain all records regarding the identified vulnerability on encrypted filesystems and distribution is limited to those individuals who can actively assist in the resolution or have a legitimate need to know. Similarly, the Distech Controls PSIRT asks those reporting a vulnerability to maintain strict confidentiality until the details have been published through the appropriate coordinated disclosure. See the next section of this policy for information regarding disclosure criteria.
After publication of any security issue, the PSIRT reviews our secure development lifecycle and continues to monitor networks for signs of active exploitation.
Distech Controls may communicate security information privately to affected customers and publicly through Product Security Bulletins. Not all security issues will have both private and public disclosure components. Public Product Security Bulletins are published on the Distech Controls PSIRT site (www.acuitybrands.com/psirt) when any of the following occur:
Individuals may also subscribe to Distech Controls Public Security Bulletins through email directly from the PSIRT page or through an RSS feed. All Distech Controls RSS feeds are available at: http://news.acuitybrands.com/us/follow-us-via-rss
Security Bulletins summarize a vulnerability or other security issue to help customers evaluate risks present in their environments. They are not intended to help readers reproduce the issue for testing or other research. In general, Security Bulletins will include:
Distech Controls provides Security Bulletins to bring potentially important security information to the attention of stakeholders. However, Security Bulletins are provided “as-is” with no express or implied warranty and Distech Controls does not represent that Security Bulletins are complete or accurate. Readers are responsible for confirming the accuracy of the information set forth in Security Bulletins, determining the applicability of the information to their installation, and taking whatever resulting action they may deem necessary, if any.
This policy covers all software and firmware sold by Acuity Brands. This includes, but is not limited to, the products sold under the following brands: Atrius™, DGLogik™, Dark To Light® (DTL), Distech Controls®, EldoLED®, Fresco™, Holophane®, IOTA®, nLight®, nLight® AIR, ROAM®, SensorSwitch™, Synergy®, and XPoint Wireless®.