Vulnerability reporting

Cobham Satcom Vulnerability Handling and Disclosure Process


PREFACE

At Cobham Satcom, we strive to provide the best products to our customers. Our products help people and devices stay connected over vast distances. The security of our products is a crucial component in staying safe and operational. To this end, Cobham Satcom has formalized the process of reporting and handling security vulnerabilities in our products and IT infrastructure.

By clicking Submit on the form below, you acknowledge and agree to the terms of this disclosure process, including with respect to confidentiality, disclosure, and compliance with applicable law. Any personal information you provide in your report or follow-up related to your report is subject to the General Privacy Notice.

Cobham Satcom is prepared to work in good faith with anyone who reports security vulnerabilities via the [reporting button/method]. Cobham Satcom openly accept reportings for currently listed Cobham Satcom products, solutions, and Cobham Satcom IT infrastructure. Cobham Satcom maintains a Hall of Thanks to credit individuals that ethically report security issues in Cobham Satcoms' products, solutions, services, or infrastructure. Cobham Satcom does not intend to engage in legal action against individuals who:

  • Engage in testing of systems/research without harming anyone.
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
  • Adhere to the applicable laws.
  • Perform coordinated disclosure, i.e. refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
  • Avoid impact to the safety or privacy of anyone.

VULNERABILITY HANDLING AND DISCLOSURE PROCESS


The vulnerability handling process consists of the following four steps at Cobham Satcom:

1. Report

To report a security vulnerability affecting a Cobham Satcom product, solution or infrastructure component, please contact Cobham Satcom using the ways described in section “Contact Information”u. Cobham Satcom usually responds to incoming reports within one business day

Please report the following information:

  • Description of vulnerability, including proof-of-concept exploit code or network traces (if available)
  • Affected product, solution or infrastructure component, including model and firmware version (if available)
  • Publicity of vulnerability (was it already publicly disclosed?)
  • A detailed description of how to reproduce the vulnerability. Please provide as much detail as available (Screenshots etc.)

Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status. Cobham Satcom welcomes vulnerability reports from researchers, industry groups, partners and any other source as Cobham Satcom does not require a nondisclosure-agreement as a prerequisite for receiving reports. Cobham Satcom respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to Cobham Satcom products, solutions or infrastructure components. Cobham Satcom urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts Cobham Satcom’ customer systems at unnecessary risk. Those systems comprise significant parts of the worldwide critical infrastructure.

2. Analysis

Cobham Satcom investigates and reproduces the vulnerability. If needed, Cobham Satcom will request more information from the reporter.

3. Handling

Cobham Satcom performs internal vulnerability handling in collaboration with the responsible development groups. Cobham Satcom. During this time, regular communication may be maintained between Cobham Satcom and the reporting party to inform about the current status and to ensure that Cobham Satcom's position is understood by the reporting party. If available, pre-releases of software fixes may be provided to the reporting party for verification.

4. Disclosure

If issue was successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be developed and prepared for distribution. Cobham Satcom will use existing customer notification processes to manage the release of patches, which may include direct customer notification, or public release of a security advisory containing all necessary information on the Cobham Satcom Services website (see section “Contact Information”).

A Cobham Satcom Security Advisory usually contains the following information:

  • Description of the vulnerability with CVE reference and vulnerability score
  • Identity of known affected products and software/hardware versions
  • Information on mitigating factors and workarounds
  • The location of available fixes
  • With the reporting party’s consent, credit is provided for reporting and collaboration.


History

Get In Touch with Cobham Satcom Product

Feel free to contact us in any security-related question on the Cobham Satcom portfolio or infrastructure, and particularly if you want to report a potential security issue. Please bear in mind that only emails composed in English can be considered, and encrypted communication is preferred. You can expect us to respond the next business day.

Cobham Satcom Contact for Products, Solutions, and Services
Email_t@CobhamSatcom.com

Cobham Satcom - Contact for Infrastructure
Email_@CobhamSatcom.com

HALL OF THANKS


Acknowledgements

Each name represents an individual or organization who has privately reported one or more security vulnerabilities in Cobham Satcom’s products, solutions, services, or infrastructure and worked with Cobham Satcom to mitigate the issue.