Search
Check our Price
IoT

Product Security Policy

  • Home
  • Product Security Policy

Product Security Policy

ORBCOMM remains fully committed to continuously enhancing our cyber-resiliency and aligning our policies and procedures with industry best practices.

We work diligently to evaluate and address security concerns on an ongoing basis and as they are specifically brought to our attention, and to commit the appropriate resources to analyze, validate and provide corrective actions to address the issue.

Reporting a Potential Security Vulnerability

We welcome reporting from independent researchers, industry organizations, vendors and customers concerned with product security. To report any potential vulnerabilities, please send an email to psirt@orbcomm.com with “Responsible Disclosure” in the subject line and a summary of the findings in the body of the email. A response can be expected within three (3) to five (5) business days.

Vulnerability Management Process

Security Policy Procedure

Assessing Security Risk Using the Common Vulnerability Scoring System (CVSS)

We use the Common Vulnerability Scoring System version 3.0 (CVSS v3.0) to evaluate the severity level of identified vulnerabilities. This enables a common scoring method and a common language to communicate the characteristics and impacts of vulnerabilities and attempts to establish the level of a response a vulnerability warrants. The model uses three distinct measurements or scores that include base, temporal and environmental calculations, each consisting of a set of defined metrics. The full standard is maintained by the Forum of Incident Response and Security Teams (FIRST).

We follow the CVSS v3.0 Specification Document Qualitative Severity Rating Scale to define Severity Ratings as shown in the table below:

Security Impact Rating

CVSS Score

Critical

9.0 – 10.0

High

7.0 – 8.9

Medium

4.0 – 6.9

Low

1.0 – 3.9

We reserve the right to deviate from these guidelines in specific cases where additional factors are not properly captured in the CVSS score.

We recommend consulting a security or IT professional to evaluate the risk of your specific configuration and encourage you to compute the CVSS environmental score based on your network parameters. All customers should take into account the base score and any temporal and environmental scores that may be relevant to their environment to assess their overall risk. This overall score only represents the moment in time at which the evaluation was performed and is tailored to your specific environment. You should use a security or IT professional’s risk assessment and this final score to prioritize responses within your own environment.

Notifying Customers of Vulnerability

In most cases, we intend to notify customers when there is an identified practical workaround or fix for a security vulnerability. The notification is provided through targeted communications or by posting a customer notification on the dedicated product web page. This will be posted after the ORBCOMM security team has completed the vulnerability response process and determined that sufficient software patches or workarounds exist to address the vulnerability or subsequent public disclosure of code fixes is planned to address the vulnerabilities.

Customer notifications are intended to provide sufficient details that would assist customers in making informed decisions to protect their respective environments. These notifications will typically include the following information:

  1. Products and versions affected.
  2. Common Vulnerability Enumeration (CVE) identifier for the vulnerability.
  3. Brief description of the vulnerability and potential impact if exploited.
  4. The Common Vulnerability Scoring System (CVSS) severity rating for the vulnerability.
  5. Mitigation details such as an upgrade, fix, mitigation or other customer action.
  6. Credit to the reporter of the identified vulnerability and acknowledgment for coordinating with ORBCOMM.

We may release a special communication to respond quickly to public disclosures where the vulnerability may have already received significant public attention or is expected to be actively exploited. In such an event, we may expedite the communication, which may or may not include a complete set of patches or workarounds.

We will not provide detailed information about the specifics of vulnerabilities, including but not limited to, release notes, knowledge base articles, or exploit or proof of concept code for identified vulnerabilities.

In addition, we do not share the findings from internal security testing or other types of security activities with external entities. It is important to note that any unauthorized scan of our services and production systems will be considered an attack.

Vulnerability Remediation

We take security concerns seriously and work to evaluate and address them in a timely manner. Response timelines will depend on many factors including, but not limited to: severity, affected products and services, the current development cycle, QA cycles, and whether the issue can only be updated in a major release.

Remediation may take one or more of the following forms:

  1. A new ORBCOMM release or patch
  2. Instructions to download and install an update or patch from a third party
  3. A workaround to mitigate the vulnerability

Notwithstanding the foregoing, we do not guarantee a specific resolution for issues and not all identified issues may be remediated.

Data