Ampetronic

Coordinated Vulnerability Disclosure (CVD) Policy


1. Introduction


Ampetronic Ltd is committed to ensuring the security, safety, and reliability of our products and services. We recognise the important role that security
researchers, integrators, customers, and industry partners play in identifying cybersecurity vulnerabilities.
This Coordinated Vulnerability Disclosure (CVD) Policy outlines how Ampetronic receives, evaluates, and remediates reported vulnerabilities in our products.
The full policy is available upon request.


2. Scope


This policy applies to:

  • All Ampetronic products containing digital elements (firmware, software, network interfaces)
  • Supporting software tools and configuration utilities
  • Documentation, APIs, and communication interfaces
  • Websites, cloud services (if applicable in future), and update delivery
    infrastructure

The following items are excluded from scope:

  • Products without digital elements (e.g., analogue audio hardware)
  • Physical access attacks requiring enclosure opening
  • Missing security best practices that do not pose a direct security risk
  • Email spoofing issues (e.g., absence or misconfiguration of SPF, DKIM, DMARC)
  • Attacks based on social engineering techniques
  • Known and documented architectural or design limitations present at the time of product development, where remediation would require fundamental redesign beyond the platform’s technical capabilities

 

3. Reporting a Vulnerability

 

Ampetronic provides a dedicated communication channel for reporting potential cybersecurity vulnerabilities.

Contact Information

Email: security@ampetronic.com

Required Information

To support effective investigation, please include:

  • Product name and version (e.g., T14-1 firmware version XXXX)
  • Description of the vulnerability
  • Steps to reproduce
  • Expected vs. actual behaviour
  • Technical impact (if known)
  • Contact details for follow up communication
  • Any proof-of-concept code (optional)

Ampetronic encourages encrypted submissions where feasible.

Do not send any sensitive personally identifiable information (PII).

 

4. What Researchers Can Expect from Ampetronic

 

Upon receiving a vulnerability report, Ampetronic will:

  1. Acknowledge receipt within 7 working days.
  2. Assess and prioritise the vulnerability using industry-standard scoring (e.g., CVSS).
  3. Engage in coordinated communication with the reporter.
  4. Develop and validate a remediation, where required.
  5. Provide a coordinated disclosure timeline, balancing public safety and customer operational needs.
  6. Release security updates free of charge for supported products.
  7. Publish an advisory (if warranted) once a fix is available.

We commit to treating all reporters with respect, professionalism, and confidentiality.

 

5. What Ampetronic Asks from Researchers

 

To protect our users and customers, we ask researchers to:

  • Avoid actions that could disrupt active installations or services, especially in transportation environments
  • Do not use attacks that directly target customers or staff
  • Refrain from publicly disclosing the vulnerability until remediation is available
  • Use test environments where possible
  • Not access, modify, or delete customer data
  • Comply with applicable laws and regulations
  • Maintain responsible communication with Ampetronic's security team

Ampetronic does not pursue legal action against good-faith researchers acting under this policy.

 

6. Vulnerability Handling Process

 

Ampetronic follows a structured approach aligned with ISO/IEC 30111.

Vulnerabilities are prioritised based on CVSS with environmental weighting. Whilst we cannot provide patches in a fixed timeframe, we will maintain an open dialogue and endeavour to keep you informed at every stage of the process.

Certain findings may relate to known architectural, or design constraints present at the time of product development. Where such constraints cannot be remediated without fundamental redesign, Ampetronic will assess alternative risk treatments including mitigations, deployment guidance, documentation updates, or acceptance of residual risk where appropriate.

 

7. Disclosure and Notification

 

Ampetronic will notify:

  • Affected customers
  • System integrators
  • OEM platform partners
  • Relevant EU cybersecurity bodies or national authorities (where required)

Security advisories may include:

  • Description of the vulnerability
  • Severity rating (e.g., CVSS score)
  • Affected product versions
  • Mitigation or workaround
  • Update availability

 

8. Support Period

 

Ampetronic commits to handling vulnerabilities for each product throughout its declared support period.

Security support includes remediation of exploitable vulnerabilities within the technical capabilities of the platform. It does not include architectural redesign beyond hardware capabilities.

For out-of-support products, Ampetronic may still provide mitigations at its discretion.

 

9. Data Protection and Confidentiality

 

All vulnerability reports are handled in accordance with:

  • GDPR
  • UK Data Protection Act 2018
  • Ampetronic’s internal information security policies

Reporter identities will not be published without explicit consent.