Vulnerability Disclosure Policy
If AIPHONE CO., LTD. (Hereinafter referred to as “our company”) finds a vulnerability in our products, we will appropriately disclose information about the vulnerability according to the process described on this page based on “ISO/IEC 29147” and “Information Security Early Warning Partnership Guideline *1” and ensure that our customers can use our products with confidence.
*1 Information Security Early Warning Partnership Guideline (Issued by IPA)
Our company’s PSIRT (Product Security Incident Response Team) will respond to vulnerability information on our products. Please refer to “Security Response System” for details.
Collecting Vulnerability Information
To improve the quality of information security of our products, our company collects information on product vulnerabilities from both internal and external sources. Our company also accepts information from customers using our products. If you discover a vulnerability in our products, please contact us.
Reporting to our contact person
Contact us: Vulnerability inquiry form
Please provide the following information when you contact us.
- Product name/model number/software or firmware version
- Description and impact of vulnerability
- Means of reproducing vulnerabilities, and conceptual implementation code or attack code
- Name of reporter, phone number, Email address, Country
- Security Researcher is the name of the company
After you send a report through Contact us email, we will notify you that we have received it within 5 business days from the date of receipt. Please note that we may contact you later during Japan’s public holidays.
In some cases, we may not be able to respond even if you contact us with vulnerability
Please check whether your case is supported or not from the link below before reporting
Link to Product Support Status
The provided customer information and product vulnerability information will be managed in
Vulnerability investigation and countermeasures
If a vulnerability is reported, an impact investigation is conducted on the product. We determine whether a vulnerability exists and the degree of impact, and if we determine that countermeasures are necessary, we implement them in cooperation with the product development division.
Once the vulnerability countermeasures are completed in the product development department, we will create a security advisory. The security advisory’s release will be scheduled in accordance with JPCERT’s “Principle of release date consistency”.
If a vulnerability is disclosed to the public when its degree of impact and countermeasures are not clear, malicious third parties may develop and distribute malicious code (attack code) to attack products affected by the vulnerability. As a result, product users may be harmed. It is also important to have a certain level of coordination among the parties involved in the disclosure, especially in the case of vulnerabilities that affect multiple products. Releasing information independently without waiting for a public release date and time coordinated among the parties involved may put other companies’ product users at risk. In international coordination projects with overseas organizations, if the timing of information disclosure is incorrect (if the information is released independently before the public release date), the overseas organizations may take measures to remove the developer from future handling of vulnerability-related information.
Therefore, we will coordinate the release date with the “Information Security Early Warning Partnership” that we are registered as a product development vendor and proceed with countermeasures, as necessary. The release date and time will be determined within 45 days from the date when the handling of vulnerability related information is started as described in JPCERT/CC “Guidelines for Handling Vulnerability-related Information”.
The security advisory is published on our website below.
Link to Security Advisory
For those who have contributed to the discovery or resolution of vulnerabilities in our products, their acknowledgments are posted in the relevant security advisories after they agreed to post them. If multiple individuals or organizations contact us about the same vulnerability, we will publicly thank the first reporter.
The Company does not guarantee the accuracy, usefulness, reliability, or any other guarantees regarding the content and other information provided on this website (hereinafter collectively referred to as "Content, etc."). Our company will not be held responsible for any damage caused by the use of the content.
Our company may suspend or discontinue the operation of this website without prior notice. Additionally, please be aware that our company may change or discontinue the information on this website without prior notice.