Skip to main content
Contact Us

Based on ISO/IEC 29147:2018

Calix Coordinated Vulnerability Disclosure Policy

Introduction

Calix is committed to ensuring the security and integrity of its products and services. We value the contributions of security researchers who help us identify and address vulnerabilities in our products. This document outlines our coordinated vulnerability disclosure policy, which defines the scope, responsibilities, and expectations for authorized testing and reporting of vulnerabilities within Calix products.

 

Scope

This policy applies to the following Calix products and services:

  • Calix Cloud platform
  • Calix mobile applications
  • Calix hardware devices, including (but not limited to) GigaSpire and GigaCenter gateways, ONTs, and access edge hardware
  • SMx, DPx, and CMS management software

This policy does not apply to any third-party products or services that may be integrated with or used in conjunction with Calix products or services. Calix is not responsible for the security or vulnerability management of such third-party products or services.

 

Responsibilities

Security researchers who wish to test and report vulnerabilities in Calix products or services must adhere to the following responsibilities:

  • Conduct testing only on Calix products or services that are in scope of this policy, and only on systems or devices that they own or have explicit permission to test.
  • Use only non-invasive and non-destructive methods of testing that do not affect the availability, functionality, or performance of Calix products or services, or compromise the privacy or security of Calix customers or users.
  • Refrain from using any automated tools or techniques that may generate excessive traffic or alerts, or cause denial of service or degradation of Calix products or services.
  • Refrain from exploiting any vulnerabilities that they discover, or attempting to access, modify, or delete any data or systems that do not belong to them.
  • Report any vulnerabilities that they discover to Calix as soon as possible, using the secure and confidential communication channels provided by Calix.
  • Provide sufficient information and evidence to enable Calix to verify, reproduce, and remediate the reported vulnerabilities, such as screenshots, logs, proof-of-concept code, or steps to reproduce.
  • Cooperate with Calix in the investigation and resolution of the reported vulnerabilities and respect the confidentiality and sensitivity of the information shared by Calix.
  • Agree to withhold public disclosure of the reported vulnerabilities until Calix confirms they have been resolved, or for at least 90 days from the date of reporting, whichever is earlier.
  • Acknowledge and respect the intellectual property and copyright rights of Calix and its licensors and comply with all applicable laws and regulations in conducting testing and reporting of vulnerabilities.

 

Expectations

Calix will respond to the security researchers who report vulnerabilities in Calix products or services in accordance with the following expectations:

  • Calix will acknowledge the receipt of vulnerabilities reported in accordance with the above responsibilities within 5 business days and provide a unique identifier for tracking the status of the reported vulnerabilities.
  • Calix will review and validate the reported vulnerabilities and provide an initial assessment of the severity and impact of the reported vulnerabilities within 15 business days.
  • Calix will prioritize and remediate the reported vulnerabilities based on the severity and impact of the reported vulnerabilities and provide regular updates on the progress and estimated completion date.
  • Calix will notify the security researchers when the reported vulnerabilities have been resolved and provide information on the remediation measures and the availability of patches or updates.
  • Calix considers security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c), and will waive any potential DMCA claim against a security researcher for circumventing the technological measures we use to protect our products and services to the extent the actions are consistent with the responsibilities and expectations of this policy. Furthermore, because we recognize that both identifying and non-identifying information can put a security researcher at risk, we limit what we share with third parties, and we will endeavor to only share identifying personal information with consent.

 

Contact

Security researchers who wish to report vulnerabilities in Calix products or services should use the following secure and confidential communication channels:

Security researchers who have any questions or feedback regarding this policy should also use the above communication channels.

 

 

Last updated: October 17, 2024