RPS (Riello UPS) responsible disclosure statement

Since security is of critical importance to us and to our customers, we at RPS (Riello UPS) are committed to ensuring the safety and security of our products and services. RPS (Riello UPS) supports coordinated vulnerability disclosure and encourages responsible vulnerability testing, we take any reports of potential security vulnerabilities seriously.

 

Please follow these steps to report a potential security vulnerability:

Reporting Procedure:

• Please use our PGP public key to encrypt any email submissions to us at security-incident@riello-ups.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Keybase OpenPGP v1.0.0
Comment: https://keybase.io/crypto

xsFNBGZQZz0BEACw3zP3MtY9g+c+7Lsj499upzTmkqJbhDwqqct9mk9mo3gXaPpM
ERtFPIQtfN3xrMlTPXYmSR0Js6hsXrEeKUuK0Y+HkKbVRdkTtDeKntIQaqQYyOmJ
SG0hBJWB0Bq+t4pOuZ+hZKVCCjgkPdC5RdNrrvo0X6rXQyUbF6fRPSaOACIXSYIc
G0RjXdpL8K0AW3XgYRvkY9yR4Kl0fJC/Ae1FX/Is8W9OX4NvQiCp7vJG+Y5M0KzY
jb+4v2vHsnK+rWtP4bXTIpVsbv55tKwkvcaEG4QjZNTTkZqZ7L3xHT3bT3VwRMxl
R4Syxwso/YKZS52D1kn6FLdL2nfbAXMaox/DJxVdbfdxFPGhjt5gGQUVR3RBD5p4
vR2JbAfIW1WIg0FfyneP4LcDHDdtI2IGpLP4DMWi9MkylmF9bVnU8zDK/Vr/VlhG
GrLapMehNAWk8qizT0EQdLtFEolj7LXfX8D3wkwPjV0PioLze28gdGwEdZmfMfLr
VnV6TJGINQNBr+OvPLdt4C1MF+jIpiozXhqN8JStJeoNnn2Yg1N5702PD2k/WGl5
F2oJEJNo+21QYz1gCHM9HIYK1uT4HHwZQdiuPS3O6DsHOP+lvZZp56cWznpeJEHI
irbxr/O1X2o06pyX/Moclc/wAmb66k5YgWawc8KvGgoVOuGIC9M258zQOwARAQAB
zSxSUFMgUy5wLkEgPHNlY3VyaXR5LWluY2lkZW50QHJpZWxsby11cHMuY29tPsLB
bQQTAQoAFwUCZlBnPQIbLwMLCQcDFQoIAh4BAheAAAoJEIlEy3Iyv8aycfIQAKVy
z73kx2NtbFsNVmiaqPs88cmkwnkqKkT11XcP50ePZZdqLL58VMqUzam5Z+Oy1keP
TUOnEB6ZRVQfWcJSpJSz0orFxXXmBnlo6Gb8J4GBVMxbzishU394Ra2813FeIRjF
DORcem3ITUOlyuMYU2WxHsNJ0ZhcINiCM1SMmu0iUS3QWR0NzONW3qi/G1iKz4uz
SQfXW6Ps2yrPxVnFsnQ54m/UZB1snHMB/DEkIbIigUE+ED1DwBcToXg6CDYhz23L
7liBglL6UjHUbqj6PNZvOym184sOC9ZyhvVhXvQaPIaHbFTht34poxYTe/kJ/SHR
9NIb2UOLtJeg+Skk+uYNMtzxvFDIF6/3bWMYjwWGQSi114vuYH7PjwJUyzTG8cQ3
ZAcBQp1o5c+ft8IX0Ujo5ijaTad1+fJNtoa5CQrqf8Ni8xsqttu+aAH8J9EbP/6q
HQ47th1pscIzTEJw3vKiaGrjphZRfcUYG761VclyjMrjWCNtRv6zjBDEZ+0Kw7vf
GmTn9quI+ecqC0WG3NRGsenmdBt0LsebfHK3i2k3HAGsD2tHIBN8V8pR8gebh7CQ
7B0b8CpQNrUWG0ki84NqHux7b/zczqkrXk+Zt+vBjWuki1MHmPQjoGecsZ0MNOG1
7bxrKK/C4Zo0rU7N74fV3rF0K0Tl1V+GRyWS1Z0rzsFNBGZQZz0BEAC7JOeHMUHq
OALBbCX6ZnzpHU46LbZV4Xr9lxxwv6W0q1Fn1B+WJU2zDdoX6wi00WuwH22CEETy
YDOLUKt8PeNrf90ZesaInhnkcGNAOOC61mSpIp2Kn2XOeeKvM3EK2hERHcTlbzWM
Z3ph4JlsHyhoO1+CsM3ciwuEkn7g1/FZL7zeEepofFPJWpvjnhgeNFC8mIPjDs0L
mz3tJooAdeQdpfZD3mK2hFxw2OY8ab70an0NlJSXewrtqtI/0NQVoRRGoRqjpIkZ
6amevTa+SN43bq9AR7DZjVR6rznZVSUl9PxRgc2W0/otpBBzr6Wz/HJIeFAcCaim
N6jf1FI7QjIvc9Mf8irJPmkkoexNXg/rdIbVmcwKnQNfRWuEDQTpZx5mnlaDc7wF
UuxgDknHJWer2YNcfYNU1F1BnU8s3Ys93kEjGoIdKqZwYkp+MIAbD9Cvm95ZA67X
lT4gacMIC7b+OLm+DCGD1DjoOkRPkWgUPHi96sLYg22Iv+MzeffprwLiLdNfdNfP
2e2r0+gvPAdg53JK2Vj6/N9EnfFA3X2qsWLNn8rPaNfUwIyCQGLRz/zRwXG8rYfD
CdtZno948Jq3qeLsIYVwU29tLI9Fx74FuPVltC36k1cigSJp7D5i/JbWdciluTrX
RC6rZyltILIPIu/rJiNhOdob7NQz9PvZcQARAQABwsOEBBgBCgAPBQJmUGc9BQkP
CZwAAhsuAikJEIlEy3Iyv8aywV0gBBkBCgAGBQJmUGc9AAoJEL1mtng+EQBvavUP
/A4ltE5aeGUk7cVpwINyvT3db+P9KGj7SV6LLn6MSqNHZPhjq8/uH6bJlpw1iEeK
qknaNiU32yrzx8QQpDD5lw3cKjaMazs2u/QG7sbiKLXwhLCHi23sgCeqW79LN47w
+CyAh1p/M18JrjWB2oMhjLatdvOlKSO4xre8H71sEPGEZ58F3nj5TM1Cn5/WHHOo
aIQjssg+yIP9vh/v9YlE6lbbA7/5zpNGJLLTZyhpmuh9uxpm0PW6nQjzszk1IuLu
KX+qQZOiQS1DiPzfu5Ty09XpIeWkx06UfC8B6Bgcr3EViQpOHf92+UK1ja1Vf/ac
Zfmb9nKhhMsYwGGR8SjmmGAU6QhgZu+04Ql20nZUh4s1lsHxOjRuGqXQMZa2zqkt
owtPpMh8ysnhDs7I1qEBTpiSL9DD9AN34aSxNjwYQnpfz6TVNQZkfkPufqckRxx7
DbIxcKjhXmJDxNWI9An1UKjO5pPX/EV2HNxDX47GX7f8VMRdK0aQ+kv4qwfkqjVT
hqRbFHhvNf4Q2ytfiZrlzKEbDPhm4JuezgN0p9Sc4QYmVZYBoZawIQ6pttNq8Wwz
PY86thbm5n0coZ8w4buqXtFFb64SyIkTxG68Cwgi6lpYuSrtX58JrwxXmB7gm1y9
u2idjINCO7GXipbUVs0UHrgf/SuiuIfUbzZUOsFPR7MplIkP/1A9yT7q09gRDEqD
Io4JidhMuLOW0rRuzW6VZR60TIThzL7vJCegUCvfRPnx4UieafZbEIMb+edW7m14
NbK3HztuZO4Rz+9Ce/B0dtypQPPYIf5eEgIniKb+XCOBtoxi0ZKjG8XX7yBSl7a4
xK+0QDL/0eGr4AyLz4zkit6LOlSuWA/LPh8fsL6uXoDYkDYiJccnzrZYUNZq2eKO
GTV2XTAXUFD/8egz3Id3Ey9dXdm1U5mGCQu4YHmIfdZ+uX0SwHb2Lu1vVyXot+QJ
a9TwCS0rJXlmjTkgsvXg3ZkNFUfL8ACCAxLT80tNKj5bG8F3kpywVVEerjNptCBL
vGypoOTqus4yU6TTnOXqDwscDABEntq9F2Th5lQ7Dl8lEYBqTsjyVXSuqEc5wCCW
Vhkyak0DK3TD+fSakhGmZREH18AnacLPcmnwQqRwdw8AklZy2lqRCku0uTa94Oq2
OREkd+TnH+12XGC6gL82ReiSsSkWL/w4RGWzUiJpwaPMFwZtxFgSL70TOLvVEaTX
l+3/nTo4/KsWaj54aME9K2ifffq04N+3L9qPzvCQgCXGK2Vgr3UlYAqd/wq/KtLc
XVzL32Ahbt88pBzoYbgmRNmAgDBBgw1B0V/dygl1ZHLIGKRBl35BZSP/RSZ5WSF0
gHb6nBqH1afxaFNnHp2bGtciPAXlzsFNBGZQZz0BEACs21m8M2UBGBrXvMG6lqYM
Nf0i/jkivoHfUA86hUMCcZUUYQg7VQ6SJDqxNa110LfBONZckm6opWE05LXZb5Fh
VEkSsHiR+dEWu5BT5ng5Bfzwi/F+5HYLjQZTXOZz2+DtdvhMfSEJ86+1NaRvoRcC
MadQTj214s9OhrM3McyshRr6S7zI1OZUVLy+iSuCFXlyH1f/h84hVHK8qYO+04cG
nM6KxL/JnczmhhFR9GOULaTQsJ4Aw5dxcxHKLP2Iezd34XMcbXF0eLwYSuuVDwny
6z/Oq2z/ZL9z7xYZZV4AYusEcrNGD2tEh3g4+uRTkSfir4S1Q+S2aFyB5vST3lpv
nbzhe2KpF7r8Nl9Ix928SBuIQzVLlg+LrjhA94BO8Js50sHZGmub7Q7fvkVtwk6c
vXXXLQXzgEwvHpQ2o1kZEQKbNCia1V55VbZ+JUztSmC9ylMlS+319zdGTl77WrzZ
7NimIZiODOK6KkSj+jOyN3lId6pQ+480XC9ynXXNdXsjefVBK4fvQbK4j+OaD2dx
3d8HBRierLnZgqWiPy9JbHTF6Tmg4oV6Jfwpwb3SXACq1K7XGdLiru2sTRVYy+i8
n+JOAU3jho6jM/l+rsFdJbn78dz+zvbj58ZNR5DTcoyb6Ryp3QjxED4mnZIRk378
aFd4ylMbjrXx9spzeyYVlwARAQABwsOEBBgBCgAPBQJmUGc9BQkPCZwAAhsuAikJ
EIlEy3Iyv8aywV0gBBkBCgAGBQJmUGc9AAoJEIvL2sA46ocR8vAP/0OdghNkmsIX
QVEK9AnT3htVlPle/IB9FBCrx50n1SGEojQJaQp7fuYNl7aj+bTu8Qj2urPd7KDj
WlUumf4FpdRcIus6t3igzSgkA4Y19ASlXaXv6jhGUvPPV4Gm/5nQO19qBaXo6RUa
XPhbGYDFJeEyX+i0O9X0i8cfjGD75tFEtGothSzFlqPsm+wIfyPhZhdzkaZiPwy6
ZOx6fe9yUpi6Uoh6ge+XbotJplZK4vq/5lBQa/ceIBsFJoVclz/g0A+pRlqtHSwL
y8yQqDZjFOwdFgHJD0+JWEG9LgzsQnu+NSvZO1cUw+zz3FZrC449XpKLVJSFFT6l
tY19WekXDlZ61lY95VsfTaajCuo7XUMzkkP77UBDHmkReUTb2J251LA7P7tbWb/5
WDEQKMftjRmxZ/GKDhXl/qkDZuiUAhtLRH5btzRWiXAFSSOMvv9bv4yIcIDNTJpR
dwiaU3lh0QiKncNvjrDqKJJ7P+ohhJg8ZoFBiUcseKArbiHcKUiJwc07EirPFHQ7
UyD632kD3GF7TSDxKTa8o7pu4Y7XBNHPDBlzYLlDayhBuk2D+GR9H6f9yZ2kgXtL
o2YfWXKA+Zswcc1I2/fPmNC7Ibweof3I5MQ0FxiG6KbBKkuE/aJz7s3IGYehKs49
cuf6mdj+Xebt5s5dpH1tn+jO9hWp3fGGc/cP/jkH+bdROnr3MqmFFzABc6onwKcC
8DISHm4deutahEbYsk2nLvAqGfyeJydr2Y7Ug+iuMWfbKS9cDTTlDdww/tb5jEGU
NCBefRND/zbOSqVa2ryrGhtL/c/Pm56sy+l5tWqNbsxOvMcjOBl/Y5ePYAvd/IrI
ThtAIU4sSciicREbj0kR7jmZYFsX3z29Lq3bXIhtqxymw4Hj3tBnse0bP4VN4hne
qu+PfKs7P07W4QlHfPS/kfDyFwoEIjSLva3PBLbo5CjvE65MsDAnF2M99fzGPPWT
nLkSy7KOMnkhnxM8KIgystvzCeTkwVr5+3qJHHXPQ8AJ3Qr8lqsb7gCwMpx8W4dZ
vM37Cn5avRooC0DvJHEzYYPMVgyoTBvVVTIl1vR7iSQiAP+Xv2oGMG0z+y6EFxbk
cfQwOrOvzHgqflwdbVSBzPZsicw0v2+zoHibz4OI1aUnZFw3P3OWlDIgUz3K9P2i
S+kJ8W2Q+SeaXTMEawQ+1buNZ+6lYFyZnPZs3zYEx31f8xhQ8kJsYWg9uwgv2BmY
Ids90fxcKh45eufh9D5h+kdpEMjXZpEGo1ThulPjCBjWS5g4pjOuEinPlxeZjRN/
8K3cmtvrZ2zvTTHNa1aSmwCVYqjWbFnv/VTCYD3olGVRuIQPTWzN30AtnqCgt/l9
1pfCNo7dv4bnALPq
=i+Ks
-----END PGP PUBLIC KEY BLOCK-----

• Provide sufficient contact information, such as:

1. Your contact information
2. Name of the person who found the vulnerability
3. Date when the vulnerability was detected and details about how it was discovered

 

• Include a technical description of the concern or vulnerability. Provide as much information you can on the product or service, like version number, and configuration files. If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such and is encrypted with our PGP key.
• If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information

 

Security Vulnerability Report Assessment and Action:

• RPS (Riello UPS) will:

1. acknowledge receiving your report within 7 business days.
2. provide you with a unique tracking number for your report.
3. assign a contact person to each submitted case.
4. notify the interested internal technical teams.

• RPS (Riello UPS) will keep you informed on the status of your report.
• If the vulnerability is actually in a third-party component or service which is part of our product/service, we will refer the report to that third party and advise you of that notification. To that end, please inform us in your email whether it is permissible in such cases to provide your contact information to the third party.
• Upon receiving a vulnerability report, RPS (Riello UPS) will:

1. Verify the reported vulnerability.
2. Work on a resolution.
3. Perform QA/validation testing on the resolution.
4. Release the resolution.
5. Share lessons learned with development teams.

• RPS (Riello UPS) will use existing customer notification processes to manage the release of security fixes, which may include without limitation and at RPS (Riello UPS) ’s sole discretion direct customer notification or public release of an advisory notification on our website.

 

Important:

• Refrain from including sensitive personal information in any screen shots or other attachments you provide to us. 
• Do not perform any vulnerability testing on applications, products or services that are actively in use. Vulnerability testing should only be performed on devices or applications, products or services not currently in use or not intended for use.
• Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data. Try to not to delete or use data belonging to other users.
• As part of responsible co-ordination of vulnerability disclosure, we encourage you to work with RPS (Riello UPS) on selecting public release dates for information on discovered vulnerabilities. 
• In the effort to find vulnerabilities, actions must not be disproportionate, such as, including without limitation:

1. Using social engineering to gain access or information.
2. Installing or building backdoors in an information application, product or service with the intention of then using it to demonstrate the vulnerability.
3. Utilizing a vulnerability further than what is necessary to establish its existence.
4. Making changes to the application, product or service.
5. Repeatedly gaining access to the application, product or service or sharing access with others.
6. Using brute force attacks to gain access to the application, product or service. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.

• RPS (Riello UPS) will provide full credit to researchers who make a vulnerability report or perform testing, in publicly released patch or security fix release information, if requested.

 

Notice:
​If you share any information with RPS (Riello UPS) in the context of responsible disclosure, you are agreeing that the information you submit will be considered as non-proprietary and non-confidential. RPS (Riello UPS) is allowed to use shared information, or part of it, without any restriction. You agree that submitting information does not create any rights for you or any obligation for RPS (Riello UPS).

 

Last update: 24 May 2024