Objective
This policy is intended to describe Digi’s standards for responding to known potential security vulnerabilities in DAL OS products. It defines Digi’s targets for communicating potential vulnerabilities and delivering resolutions to customers.
Scope
This policy specifically covers security vulnerabilities in released and supported DAL OS products. We define a security vulnerability as an unintentional weakness or flaw within hardware, firmware or software that has the potential to be exploited, by a threat agent, in order to compromise a customer’s network. These include, but are not limited to, any methods that unintentionally provide unauthorized access methods, permissions, or information.
This policy does not cover general support and resolution process for non-security related defects. For further information on general support policies, please refer to Support & Helpdesk Ops.
Audience
This policy is for the use of Digi partners and customers.
Introduction
DAL OS is Digi’s standard operating system integrated into Enterprise (EX), Industrial (IX) and Transportation routers (TX), device and serial servers (Connect EZ), console servers and USB-connected devices.
DAL OS products are designed to be secure and reliable elements of our customers' networks. Our products include many security features such as secure boot, firewalls, authentication, authorization, and encryption. Digi Engineering practices prohibit the introduction of features that bypass these features.
Digi welcomes the transparent reporting of vulnerabilities and is committed to resolving them in a timely manner. In addition to reporting by users, Digi actively searches for vulnerabilities through internal testing, static code analysis, independent penetration testing and assessing new CVEs. These may be introduced through an error in design or development or (more commonly) through a vulnerability being discovered in a third-party library integrated into DAL OS firmware or software. The vulnerabilities may be discovered through DAL OS testing, reported publicly as a Common Vulnerability and Exposure (CVE), or discovered by an independent security assessment, a customer, or another party.
Digi’s policy is to quickly assess the impact of any reported vulnerabilities. Once the vulnerability is assessed according to the Common Vulnerability Scoring System (CVSS 3.0), details of the vulnerability, its impacts and timelines for resolution will be made publicly available to customers and partners.
Reporting Potential Vulnerabilities
Customer or partners that are experiencing a security issues with DAL OS products are encouraged to report the issue as soon as practicable through the Digi security form. When reporting a potential vulnerability, please include as much information as possible (including CVE number if available) about the circumstances and the potential impact.
Assessing Potential Vulnerabilities
Digi uses the Common Vulnerability Scoring System (CVSS 3.0) in combination with the severity ratings to evaluate newly reported potential vulnerabilities. The determined CVSS score reflects the potential security threat of the vulnerability within the context of Digi product design. Digi’s security and engineering team reserves the right to internally re-classify the CVSS score to determine the likelihood of impact to our products based on implementation differences initially cited by NIST. In the event a consumer of Digi goods and services has any query on what determinations are made, a vector string of the Digi determined score can be provided for clarification via a support request to Digi support
Information and Resolution Timelines
The CVSS 3.0 score is used to prioritize and set targets for communication and resolution as follows:
| Severity |
CVSS 3.0 |
Resolution Target |
Fix Information |
| Critical |
9.0–10.0 |
Patch release within 30 days after security advisory is posted |
Fix information is in the patch release notes. |
| High |
7.0–8.9 |
Patch release within 30 days after security advisory is posted |
Fix information is in the patch release notes. |
| Medium |
4.0–6.9 |
Next major release |
Release notes |
| Minor |
N/A |
Future release |
Release notes |
| No Vulnerability |
N/A |
N/A |
N/A |
Resolution of Potential Vulnerabilities
Digi takes security vulnerabilities seriously and endeavors to make resolution available to customers and partners in line with resolution targets for all products currently in support (to verify which products are no longer supported, please visit the Digi customer portal for a list of of PCNs and EOL announcements).
For critical vulnerabilities, Digi enacts a formal Incident Management Process. This process involves dedicating appropriate resources to the resolution until a fix has been released. The process includes internal communication and escalation procedures to ensure the resolution receives the highest possible priority.
All software resolutions will be delivered through our standard release channels, which is through our Digi Remote Manager portal and our Digi support site. Security-related software resolutions are made available to all customers regardless of warranty status.
Security vulnerabilities requiring changes to hardware design are extremely rare. For critical issues Digi will issue a general recall for the effected devices. All other defects will be handled through the normal RMA process.
Receiving Information on Potential Vulnerabilities
Customers and partners can register to receive information on potential vulnerabilities that are in process of being assessed or resolved through the Digi Security Center
Any parties registered will receive Security Advisories on some Critical and High severity that will provide detailed information about the vulnerability. They will also receive updates on all issues they have reported regardless of type through our submission portal or through our support portal.
Last updated: December 20, 2022