Vulnerability Disclosure Policy

Our Commitment

If you believe you have discovered a vulnerability in any Optima product, service, or website, we encourage you to notify us as soon as possible. We commit to:

• Respond to your report promptly and keep you informed about our progress;
• Work with you to understand and validate the reported vulnerability;
• Acknowledge your contribution to improving our security (if you desire);
• Treat all security researchers with respect and professionalism.

Scope

This policy applies to vulnerabilities in:

• Optima software products (NMSight, RC Client, RC Server, OLS, Optima NMS)
• Optima hardware products (T:LAN, RIO xR3, enviroSENSOR, NEXUS Nano, AERO)
• Optima websites and web applications (www.optimatele.com, helpdesk.optimatele.com, cloud.optimatele.com)
• Optima cloud services and APIs

How to Report a Vulnerability

To report a security vulnerability, please send an email to our security team with the details of the vulnerability.

What to Include in Your Report

To help us understand and address the vulnerability quickly, please include the following information in your report:

Responsible Disclosure Guidelines

We ask that you:

• Do not publicly disclose the vulnerability until we have had a reasonable amount of time to address it;
• Do not access, modify, or delete data that does not belong to you;
• Do not perform actions that could negatively impact Optima's services or users;
• Do not use social engineering, physical attacks, or denial-of-service attacks;
• Do make a good faith effort to avoid privacy violations, data destruction, and service interruption;
• Do provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.

Safe Harbor

Optima Tele.com, Inc. commits to not pursue legal action against researchers who:

• Report vulnerabilities according to this policy;
• Act in good faith and avoid violating the privacy of others, destroying data, or interrupting or degrading our services;
• Do not exploit a vulnerability beyond what is necessary to demonstrate it;
• Do not publicly disclose the vulnerability before we have addressed it.

When we receive a vulnerability report under this policy, we will not recommend or pursue legal action against the reporter for the report itself or for security research conducted in accordance with this policy.

Response Timeline

We will make every effort to:

Public Disclosure

After a vulnerability has been resolved, we may publicly acknowledge your contribution (with your permission). We believe in transparency and may publish security advisories for significant vulnerabilities that have been addressed.

If you wish to remain anonymous, please let us know in your initial report.

Recognition

We greatly appreciate the efforts of security researchers who help us maintain the security of our products and services. With your permission, we will:

• Publicly acknowledge your contribution on our Security Hall of Fame page;
• Credit you in any security advisories we publish;
• Provide a letter of appreciation for your resume or portfolio.

Out of Scope

The following are generally considered out of scope for this policy:

• Vulnerabilities in third-party applications or services not owned or operated by Optima;
• Social engineering attacks against Optima employees or contractors;
• Physical security issues with Optima facilities;
• Distributed Denial of Service (DDoS) attacks;
• Spam or social engineering techniques;
• Reports of insecure SSL/TLS ciphers unless accompanied by a working proof of concept;
• Reports from automated tools or scanners without additional analysis.

Questions or Concerns

If you have questions about this vulnerability disclosure policy or the vulnerability reporting process, please contact our security team: