Vista CCTV Security Vulnerability Disclosure Policy

Vista CCTVs Security Vulnerability Disclosure Policy is provided in accordance with the following:

  • ETSI EN 303 645, provision 5.2-1 and
  • ISO/IEC 29147
    • (i) paragraph 6.2.2;
    • (ii) paragraph 6.2.5; and
    • iii) paragraph 6.5

If you are considering investigating or reporting a security vulnerability to us, please first refer to our Latest Notices & Alerts web page to determine if this has previously been acknowledged or disclosed, and subsequently resolved via a firmware/software update.

Please also determine if your product is running the latest version of firmware by visiting our firmware and software repository . Select the correct brand folder, then select the relevant product to view the latest firmware and history.txt files.

NOTE: If your product is not updated with the latest available firmware version, please update it before proceeding with reporting a vulnerability to us.

REPORTING A SECURITY VULNERABILITY AND WHAT TO EXPECT

Please use the contact page provided, adding as much detail as you can. Ensure that within your report to us you include all relevant information (example below) along with any information that may facilitate prompt resolution. Please note: we are unable to accept capture files or other similiar attachments – other than jpg/bmp/png etc screen grabs.

Your contact name
Company details
Company position/title
E-mail contact details
Product part number
Version of firmware
Brief description of vulnerability, (XSS vulnerability, PHP injection for example)
PEN test software or details of tools used
Steps used to reproduce the vulnerability
Supporting screen grabs

After a report has been submitted to us, we will respond within 5 working days to acknowledge receipt. In addition, we will provide updates at 14-day intervals. You can enquire about progress within this period, but please give consideration to the security team investigating the reported vulnerability.

Where the reported product and vulnerability is accepted by us, and the product’s minimum software update and “support period” is still current, we shall endeavour to work towards a resolution as soon as technically possible. We will then inform you and share with you any firmware update and invite you to confirm resolution. Once confirmed, we will make the update available to all affected users.

The complexity of any vulnerability and therefore its resolution, will determine the actual time taken, though we aim to resolve within the industry expected period of 90 days.

Guidance

You must NOT:

  • Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers
  • Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support
  • Communicate any vulnerabilities or associated details other than by the means described in this Policy
  • Demand financial compensation in order to disclose any vulnerabilities

You must:

  • Always comply with data protection rules and must not violate the privacy of any organisations, users, staff, contractors, services or systems etc.
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).