Seiko Epson Corporation and its sales companies ("we", "us", "our") collect information on security vulnerabilities in our products and services (the "Products"), investigate their impact and disclose information as necessary to ensure that our customers can use our Products with confidence.
This policy applies to all vulnerabilities (*1) reported to us. Customers are requested to read and comply with this policy carefully before reporting vulnerabilities.
*1: Vulnerability for the purposes of this policy is defined as an attack against a product that can adversely affect its confidentiality, integrity or availability.
If you discover a new vulnerability (undisclosed vulnerability) for your product, please submit a report via the link below.
The customer submitting the report (the "Rapporteur") will receive an acknowledgement of receipt from us within five working days, starting from the day after the day on which the report is sent.
The received vulnerabilities are checked by our technical team and the results are fed back to the reporter. In some cases, we may decide that the vulnerability is "not covered by the vulnerability response". For example, in the following cases.
If we determine that the product is vulnerable, we will provide the reporter with a fixed module that addresses the vulnerability or provide a workaround. Please note that when we provide a fixed module, we may ask the reporter to confirm that the vulnerability has been properly addressed.
If it is deemed necessary to inform customers other than the reporter, the security advisory will be posted on the following website as soon as the information can be disclosed, so that customers can implement appropriate measures.
In addition, if the reporting party makes the disclosure, the reporting party is requested to coordinate the content of the disclosure (e.g. not including information that may give the attacker an advantage) and the schedule of the disclosure.
We sincerely appreciate those who take the time and effort to report vulnerabilities in accordance with this policy, but we do not offer any compensation for reporting vulnerabilities. Thank you for your understanding.