Security

Vulnerability Disclosure

We take all feedback on our products and services seriously and remain committed to continuous improvement. The feedback we get from security researchers is appreciated as it helps us improve security and safety for users of our services.

Please fill in the form below to report any vulnerabilities or issues on our full range of products and services. We ask that you work with Controlsoft to allow us to replicate and resolve any issues discovered before any disclosure. We do not operate a rewards scheme for the disclosure of security research.

Controlsoft does not intend to engage in legal action against individuals who:

• Engage in testing of systems/research without harming anyone

• Test on products without affecting customers or receive consent from customers before engaging in security testing on the customers premises.

• Adhere to the applicable laws and comply with all applicable software license requirements

• Avoid impact to the safety or privacy of anyone

This policy is designed to be compatible with common vulnerability disclosure best practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Controlsoft or any partner organisations to be in breach of any legal obligations

 

Reporting an issue

To report a security vulnerability affecting a Controlsoft product, please either contact us at support@controlsoft.com or submit details in the form below. 

We ask that :  

• Details include any proof of concept code or a link to the code that may help  Controlsoft to replicate the issue 

• Reports includes details of how the vulnerability was identified and any  steps to replicate the issue  

• The names of any automated testing tools or scanner scripts used to find the issue. 

• You allow us to make contact with you by providing contact details in either email or on the form below. We will not pass your personal data onto any third parties without your permission.

What we will do  

If you follow these guidelines, you can expect from Controlsoft: 

• A timely response to your initial disclosure, within 1 working days 

• Clear communication to let you know our planned remediation timelines 

• Ongoing updates of any issues that may delay the remediation date of the issue. 

• Notification when final remediation has occurred 

What we do not allow

We don’t allow any activity that might interfere with customers using Controlsoft  products, services or any activity that might result in the modification, deletion or unauthorised disclosure of our intellectual property or customer personal data. 

• Public disclosure of personal, proprietary or financial information 

• The modification or deletion of data that isn’t yours 

• Interruption, degradation or outage to services (like Denial of Service attacks) 

• Spamming/social engineering/phishing attacks 

• Physical exploits/attacks on our infrastructure 

• Local network-based attacks such as DNS poisoning or ARP spoofing 

If you have any questions, please email us at support@controlsoft.com or call Support +44 (0)1451 844896 Option 2 

PSTI Statement of Compliance

We, Controlsoft Limited, hereby declare under our own responsibility that the products listed below comply  with the applicable security requirements in Schedule 1 of The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.  

• 1DR-PCB 
• 2DR-PCB 

This statement covers all variants of products stated above which are manufactured by Controlsoft Limited and that come under the scope of PSTI. 

 The relevant network connected products conform with the following security requirements for manufacturers:  

1.     Password is defined by the user of the device, and any per device password is generated by using a security mechanism that reduces the risk of automated attacks. 

2.     Users can report vulnerabilities via a disclosure form at www.controlsoft.com/vulnerablity-disclosure-form or via email support@controlsoft.com .  Users will receive acknowledgment of the receipt of a vulnerability  issue.  Status updates will be supplied until the reported security issue has been resolved.

3.     We will provide security updates for the relevant products during the support period. The defined support period will end 1 year after the product reaches its End of Life (EoL) date.