This policy relates to the investigation and disclosure of security vulnerabilities that potentially affect products and services provided by Distech Controls.
Distech Controls, Inc. is a subsidiary of Acuity Brands Lighting, Inc and benefits from the cybersecurity policy established by the group.
Once an issue is reported to the Distech Controls PSIRT, it is evaluated based on the potential impact of the vulnerability. The PSIRT will work with the reporter and product development teams in order to determine the severity and scope of the reported issue.
In general, the PSIRT uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to determine the severity level of identified vulnerabilities. If there is a security issue with a third-party software component used in an Distech Controls product, the CVSS may be adjusted to reflect the impact to our products. CVSS is maintained by FIRST and more information may be obtained from the FIRST.org website.
After the severity and scope of the issue have been determined, the PSIRT works with appropriate internal and external resources, as needed, in order to determine the availability of fixes and a communication plan. During the investigation, Distech Controls treats all non-public information as highly confidential. We maintain all records regarding the identified vulnerability on encrypted filesystems and distribution is limited to those individuals who can actively assist in the resolution or have a legitimate need to know. Similarly, the Distech Controls PSIRT asks those reporting a vulnerability to maintain strict confidentiality until the details have been published through the appropriate coordinated disclosure. See the next section of this policy for information regarding disclosure criteria.
After publication of any security issue, the PSIRT reviews our secure development lifecycle and continues to monitor networks for signs of active exploitation.
Distech Controls may communicate security information privately to affected customers and publicly through Product Security Bulletins. Not all security issues will have both private and public disclosure components. Public Product Security Bulletins are published on the Distech Controls PSIRT site (www.acuitybrands.com/psirt) when any of the following occur:
Individuals may also subscribe to Distech Controls Public Security Bulletins through email directly from the PSIRT page or through an RSS feed. All Distech Controls RSS feeds are available at: http://news.acuitybrands.com/us/follow-us-via-rss
Security Bulletins summarize a vulnerability or other security issue to help customers evaluate risks present in their environments. They are not intended to help readers reproduce the issue for testing or other research. In general, Security Bulletins will include:
Distech Controls provides Security Bulletins to bring potentially important security information to the attention of stakeholders. However, Security Bulletins are provided “as-is” with no express or implied warranty and Distech Controls does not represent that Security Bulletins are complete or accurate. Readers are responsible for confirming the accuracy of the information set forth in Security Bulletins, determining the applicability of the information to their installation, and taking whatever resulting action they may deem necessary, if any.
This policy covers all software and firmware sold by Acuity Brands. This includes, but is not limited to, the products sold under the following brands: Atrius™, DGLogik™, Dark To Light® (DTL), Distech Controls®, EldoLED®, Fresco™, Holophane®, IOTA®, nLight®, nLight® AIR, ROAM®, SensorSwitch™, Synergy®, and XPoint Wireless®.