EVS Broadcast Equipment vulnerability disclosure policy (2024)
Represented by Serge Van Herck, Chief Executive Officer (Representing a BV).
In order to improve the performance and security of our products and solutions sold to EVS customers, we have adopted a coordinated vulnerability disclosure policy. This policy gives participants the opportunity to search for potential vulnerabilities in our products and solutions with good intentions or to pass on any information they discover about a vulnerability.
However, access to EVS products and solutions sold to EVS customers is only permitted with the intention of improving security, informing us of existing vulnerabilities and in strict compliance with the other conditions set out in this document.
Our policy concerns security vulnerabilities that could be exploited by third parties or disrupt the proper functioning of our products, services, networks or information systems.
The products and solutions in the scope of application are:
All EVS products and solutions currently supported with an active license installed.
The EVS websites or any other infrastructure and services used by EVS to support and maintain products and solutions are considered out of scope.
The EVS products and solutions running old software versions are considered out of scope if EVS published a patch for the vulnerability exploited.
The vulnerabilities linked to the operating system hosting the EVS products and solutions are considered out of scope.
Systems that are dependent on third parties are excluded from the scope of this policy, unless the third party explicitly agrees to these rules in advance.
The participant's research on information systems not explicitly included in the framework of this policy could lead to legal proceedings against him/her.
The participant undertakes to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to make use of the vulnerability beyond what is strictly necessary to demonstrate the security flaw. Their approach must remain proportionate: if the safety problem has been demonstrated on a small scale, no further action should be taken.
The objective of our policy is not to allow intentional knowledge of the content of computer data, communication data or personal data, and such knowledge could only occur incidentally in the context of the search for vulnerabilities.
Participants are not permitted to take the following actions:
If the participant wishes to use the assistance of a third party to carry out his or her research, the participant must ensure that the third party is aware of this policy and agrees, by offering assistance, to abide by its terms.
Similarly, it is not permitted to reveal or disclose computer data, communication data or personal data to third parties.
Our organisation undertakes to implement this policy in good faith and not to take legal action, either civil or criminal, against a participant who complies with its conditions.
The participant must be free of fraudulent intent, intent to harm, intent to use or intent to cause damage to the visited system or its data. This also applies to third-party systems and products and solutions installed at customer side located in Belgium or abroad.
If there is any doubt about any of the conditions of our policy, the participant must first ask our contact point and obtain its written consent before acting.
The purpose of a CVDP is not to intentionally process personal data, but it is possible that the participant may have to process personal data, even incidentally, in the course of his or her vulnerability research.
The processing of personal data is broad in scope and includes the storage, alteration, retrieval, consultation, use or disclosure of any information that could relate to an identified or identifiable natural person. The "identifiable" character of the person does not depend on the mere will of the data processor to identify the person, but on the possibility of identifying, directly or indirectly, the person by means of these data (for example: an e-mail address, identification number, online identifier, IP address or location data).
Thus, it is possible that the participant processes personal data to a limited extent. In the event of processing such data, the participant undertakes to comply with the legal obligations regarding the protection of personal data and the terms of this policy, in particular:
- The participant undertakes to process personal data only in accordance with the instructions of our organisation, as described in this policy, and exclusively for the purpose of investigating vulnerabilities in the systems, equipment or products of our organisation. Any processing of personal data for any other purpose is excluded.
- The participant undertakes to limit the processing of personal data to what is necessary for the purpose of vulnerability scanning.
- The participant shall ensure that the persons authorised to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
- The participant shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (e.g. encryption). The participant declares that he/she understands the risks associated with the implementation of this policy and that he/she has the necessary expertise and experience to test our products and solutions sold to EVS customers safely and in compliance with applicable laws and regulations.
- The participant undertakes to assist us, to the extent possible and taking into account the nature of the processing and the information available to the participant, in the implementation of our obligations relating to the exercise of the rights of data subjects, the security of the processing and any impact assessment.
- The participant undertakes to inform us of any personal data breach as soon as possible after becoming aware of it.
- The participant may not keep any personal data processed for longer than necessary. During this period, the participant must ensure that this data is stored with a level of security appropriate to the risks involved (preferably encrypted). At the end of his/her participation in the policy, this data must be deleted immediately.
- The participant undertakes to keep a register of the categories of processing activities carried out on behalf of our organisation, including a description of the security measures implemented by the participant, in accordance with Article 30, § 2 of the GDPR.
The participant may work with a third party to carry out its research. The participant shall ensure that the third party is aware of this policy and agrees, by providing assistance, to abide by its terms, including confidentiality and the implementation of appropriate security measures. The participant acknowledges that he/she remains fully responsible to our organisation if the third party he/she has engaged does not fulfil its data protection obligations.
Should the participant process personal data, stored and/or otherwise processed by our organisation, in a manner inconsistent with this policy or for purposes other than the investigation of potential vulnerabilities in our organisation's systems, products and equipment, the participant acknowledges that he/she will be considered a data controller and will assume full responsibility for the processing carried out in this way.
You should only send the information found to the following e-mail address:
EVS PGP key is available here.
As soon as possible after the discovery, send us information on your findings using Annex 1.
Where a participant becomes aware of information relating to a potential vulnerability, the participant should, where possible, carry out prior checks to confirm the existence of the vulnerability and identify any risks involved.
The participant undertakes to notify, as soon as possible, technical information on possible vulnerabilities to the contact point (or coordinator (optional)), listed in point 3(a) of this policy. The participant must respect the designated secure means of communication.
Upon receipt of a notification, our organisation undertakes to send to the participant, as soon as possible, an acknowledgement of receipt and the next steps of the procedure.
The parties undertake to make every effort to ensure continuous and effective communication. The information provided by the participant can be very useful in identifying and addressing the vulnerability.
The investigation phase will allow our organisation to replicate the environment and behaviour reported in order to verify the information reported.
Our organisation undertakes to keep the participant informed on a regular basis of the results of the investigations and the follow-up to the notification.
During this process, the parties will ensure that they make the link with similar or related reports, assess the risk and severity of the vulnerability, and identify any other affected products or systems.
The objective of the disclosure policy is to enable the development of a solution to remove the vulnerability from the computer system before any damage is done.
Taking into account the state of knowledge, the costs of implementation, the seriousness of the risks to users and the technical constraints, our organisation will try to develop a solution on a best effort basis.
In this phase, our organisation and its partners commit to carrying out positive tests to verify that the solution works properly and negative tests to ensure that the solution does not disrupt the proper functioning of other existing functionalities.
Our organisation will decide, in coordination with the participant, on the modalities to eventually make public the existence of the vulnerability. This public disclosure should take place at the earliest possible time, together with the deployment of a solution and the distribution of a security notice to users.
Our organisation is also committed to collecting feedback from users on the deployment of the solution and to taking the necessary corrective measures to address any issues with the solution, including compatibility with other products or services.
Belgian law is applicable to any disputes arising from the application of this policy.
The CCB (vulnerabilityreport@cert.be) may act as an intermediary in an attempt to reconcile our organisation and the participant for problems related to the application of this policy.
The rules of the policy are applicable from 30/06/2024 until they are modified or deleted by our organisation. Such changes or deletions will be published on our organisation's website and will apply automatically after a period of 30 days following their publication.
Seraing, 04/06/2024