Distech Controls Security Vulnerability Policy
This policy relates to the investigation and disclosure of security vulnerabilities that potentially affect products and services provided by Distech Controls.
Distech Controls, Inc. is a subsidiary of Acuity Brands Lighting, Inc and benefits from the cybersecurity policy established by the group.
Distech Controls Product Security Incident Response
The Distech Controls Product Security Incident Response Team (PSIRT) is responsible for coordinating stakeholder interests regarding security concerns that potentially affect Distech Controls products and services. In this pursuit, the PSIRT manages the receipt, investigation, and notification procedure regarding security vulnerabilities and other issues affecting our cloud-based infrastructure. The Distech Controls PSIRT works with customers, consultants, security researchers, academic institutions, and other vendors to handle potential security issues discovered within Distech Controls products and services.
Reporting a Security Vulnerability
Individuals or organizations that are aware of a product security issue are strongly encouraged to contact the PSIRT. Timely identification of security vulnerabilities is critical to eliminating potential threats. Distech Controls welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security and is committed to responsible disclosure.
If you believe you have identified a potential security vulnerability, you may contact the Distech Controls PSIRT through our email alias, firstname.lastname@example.org. The PSIRT will identify the appropriate product teams in order to address the issue.
Distech Controls encourages the encryption of sensitive information that is sent to the PSIRT. The PSIRT supports encrypted messages via PGP/GNU Privacy Guard. The PSIRT public PGP key email@example.com (94694357) is available on multiple public key servers.
When reporting potential security issues, please include as much of the below information as possible to help the PSIRT understand the nature and scope of the potential vulnerability:
- Product name and version that contains the vulnerability
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code
- Potential impact of the vulnerability, including how an attacker could exploit the vulnerability
Distech Controls Product Security Incident Response Process
The Distech Controls PSIRT process was developed using the ISO 30111 standard and documentation from the Forum of Incident Response and Security Teams (FIRST) as guides. The following figure provides a high-level view of our response process.
The following are the steps in the process illustrated in Figure 1. After each step is completed, the Distech Controls PSIRT determines the appropriate actions; therefore, some of these steps might not be performed for some issues.
- Awareness: information is received regarding a potential security vulnerability
- Triage: the report is validated, prioritized, and resources identified
- Analysis: impact assessment is conducted and remediation plan developed
- Coordination: all collaborators are made aware of the timelines
- Remediation: fixes are released and cloud-based services are updated
- Notification: affected customers are notified
- Feedback: post-remediation activities are performed
Once an issue is reported to the Distech Controls PSIRT, it is evaluated based on the potential impact of the vulnerability. The PSIRT will work with the reporter and product development teams in order to determine the severity and scope of the reported issue.
In general, the PSIRT uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to determine the severity level of identified vulnerabilities. If there is a security issue with a third-party software component used in an Distech Controls product, the CVSS may be adjusted to reflect the impact to our products. CVSS is maintained by FIRST and more information may be obtained from the FIRST.org website.
After the severity and scope of the issue have been determined, the PSIRT works with appropriate internal and external resources, as needed, in order to determine the availability of fixes and a communication plan. During the investigation, Distech Controls treats all non-public information as highly confidential. We maintain all records regarding the identified vulnerability on encrypted filesystems and distribution is limited to those individuals who can actively assist in the resolution or have a legitimate need to know. Similarly, the Distech Controls PSIRT asks those reporting a vulnerability to maintain strict confidentiality until the details have been published through the appropriate coordinated disclosure. See the next section of this policy for information regarding disclosure criteria.
After publication of any security issue, the PSIRT reviews our secure development lifecycle and continues to monitor networks for signs of active exploitation.
Receiving Security Vulnerability Information from Distech Controls
Distech Controls may communicate security information privately to affected customers and publicly through Product Security Bulletins. Not all security issues will have both private and public disclosure components. Public Product Security Bulletins are published on the Distech Controls PSIRT site (www.acuitybrands.com/psirt) when any of the following occur:
- Distech Controls is not able to identify affected customers
- Software updates are available for all affected products
- There is public concern about the issue
- There is public discussion about a vulnerability
- There will be no fix created for affected products
Individuals may also subscribe to Distech Controls Public Security Bulletins through email directly from the PSIRT page or through an RSS feed. All Distech Controls RSS feeds are available at: http://news.acuitybrands.com/us/follow-us-via-rss
Security Bulletins summarize a vulnerability or other security issue to help customers evaluate risks present in their environments. They are not intended to help readers reproduce the issue for testing or other research. In general, Security Bulletins will include:
- Products and versions affected
- The severity rating for the vulnerability
- Brief description of the vulnerability and potential impact if exploited
- Remedy details with update/workaround information
Distech Controls provides Security Bulletins to bring potentially important security information to the attention of stakeholders. However, Security Bulletins are provided “as-is” with no express or implied warranty and Distech Controls does not represent that Security Bulletins are complete or accurate. Readers are responsible for confirming the accuracy of the information set forth in Security Bulletins, determining the applicability of the information to their installation, and taking whatever resulting action they may deem necessary, if any.
Brands Covered by this Policy
This policy covers all software and firmware sold by Acuity Brands. This includes, but is not limited to, the products sold under the following brands: Atrius™, DGLogik™, Dark To Light® (DTL), Distech Controls®, EldoLED®, Fresco™, Holophane®, IOTA®, nLight®, nLight® AIR, ROAM®, SensorSwitch™, Synergy®, and XPoint Wireless®.