Responsible Disclosure Policy:
Digi International Inc. makes an effort to ensure that our customers have confidence in the security of our products and services. If you have discovered a security vulnerability in a Digi-branded product or service, we request that you disclose it to us in in accordance with this Responsible Disclosure Policy. To report a suspected vulnerability, please submit detailed information using the form at the bottom of this page.
Encouraged Submission Types:
- OWASP Top 10
- Business Logic vulnerabilities
- Information Disclosure
- Data Exposure
- Authorization/authentication issues
***DoS testing against Digi International Inc. products owned solely by the researcher or customer is acceptable if it is on a network owned and operated by researcher or customer.
Excluded Submission Types:
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Spam reports or solicitation
- Phishing, vishing, spear phishing reports
- Social engineering reports
- Open ports with no accompanying demonstration or proof of concept of vulnerability
- Findings generated by automated tools without detailed explanation on what parts are vulnerable and how the vulnerability might be exploited
The following actions are prohibited under this policy, and Digi International Inc. reserves all legal rights if you engage in any of these prohibited activities:
- Disclosing any identified or alleged vulnerability addressed in your submission to the public or a third party without express written consent from Digi.
- Accessing, downloading, or modifying data that does not belong to you
- Executing or attempting to execute a “Denial of Service” attack against Digi’s systems or services.
- Using malicious software in any way
- Sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
- Degrading the operation of any Digi systems or platforms