UK PSTI Vulnerability Updates

Responsible Vulnerability Disclosure

At Lorex, we take the security of our products very seriously. We are committed to working with the security community to identify and address vulnerabilities in a timely and responsible manner.

The UK Product Security and Telecommunications Infrastructure (PSTI) Act mandates that manufacturers have a process for reporting security vulnerabilities. We are compliant with this regulation and encourage security researchers to report any vulnerabilities they discover in our products.

This document outlines how we identify, assess, and address vulnerabilities in our connected devices.

  • Continuous Monitoring & Research: We actively search for potential threats through automated tools, security reports, and user reports.
  • Prioritization & Risk Assessment: Identified vulnerabilities are assessed based on exploitability, impact, and prevalence to prioritize critical issues.
  • Communication & Disclosure: We work with vendors for patches and responsibly disclose vulnerabilities with advisories or industry programs.
    • Users are informed through our security webpage, social media, or direct notifications.
  • Remediation & Mitigation: We provide patches or mitigation strategies to address vulnerabilities.
  • Verification & Validation: We confirm the effectiveness of applied patches and continue monitoring affected devices.
  • Continuous Improvement: We regularly review and update this process based on best practices and lessons learned.
  • Secure by Design: Patching with NIST Standards: Lorex prioritizes data security. We follow NIST patching guidelines, ensuring a comprehensive, efficient, and verified process to address vulnerabilities in software and firmware. This commitment minimizes risks and keeps your information safe.
    • High-serverity patches: Apply within 1-2 weeks.
    • Medium-severity patches: Apply within 1-4 weeks.
    • Low-severity patches: Apply within 1-2 months.

Report Vulnerabilities

Found a potential issue? Please help us by reporting it so we can fix it quickly.

What Happens Next

If you've reported a vulnerability to our security team, you'll receive a notification within 24-48 hours. This notification will include a reference number for future communication and correspondence. We may also request additional information, such as proof of concept, to help us understand the vulnerability better.

Our Commitment to You

We value your contribution to our security. If your report aligns with our vulnerability policy, we promise to work with you to:

  • Understand the vulnerability in detail.
  • Confirm its existence and severity.
  • Address the issue promptly, based on the assessed risk.

Our goal is to resolve the vulnerability within 90 days.

Important Note

If we don't hear back from you within 48 hours of our initial contact, we may not be able to follow up on your report. Please ensure you respond to our communication in a timely manner.