This policy relates to the investigation and disclosure of security vulnerabilities that potentially affect products and services provided by Acuity Brands.
Once an issue is reported to the Acuity Brands PSIRT, it is evaluated based on the potential impact of the vulnerability. The PSIRT will work with the reporter and product development teams in order to determine the severity and scope of the reported issue.
In general, the PSIRT uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to determine the severity level of identified vulnerabilities. If there is a security issue with a third-party software component used in an Acuity Brands product, the CVSS may be adjusted to reflect the impact to our products. CVSS is maintained by FIRST and more information may be obtained from the FIRST.org website.
After the severity and scope of the issue have been determined, the PSIRT works with appropriate internal and external resources, as needed, in order to determine the availability of fixes and a communication plan. During the investigation, Acuity Brands treats all non-public information as highly confidential. We maintain all records regarding the identified vulnerability on encrypted filesystems and distribution is limited to those individuals who can actively assist in the resolution or have a legitimate need to know. Similarly, the Acuity Brands PSIRT asks those reporting a vulnerability to maintain strict confidentiality until the details have been published through the appropriate coordinated disclosure. See the next section of this policy for information regarding disclosure criteria.
After publication of any security issue, the PSIRT reviews our secure development lifecycle and continues to monitor networks for signs of active exploitation.
Acuity Brands may communicate security information privately to affected customers and publicly through Product Security Bulletins. Not all security issues will have both private and public disclosure components. Public Product Security Bulletins are published on the Acuity Brands PSIRT site (www.acuitybrands.com/psirt) when any of the following occur:
Individuals may also subscribe to Acuity Brands Public Security Bulletins through email directly from the PSIRT page or through an RSS feed. All Acuity Brands RSS feeds are available at: http://news.acuitybrands.com/us/follow-us-via-rss
Security Bulletins summarize a vulnerability or other security issue to help customers evaluate risks present in their environments. They are not intended to help readers reproduce the issue for testing or other research. In general, Security Bulletins will include:
Acuity Brands provides Security Bulletins to bring potentially important security information to the attention of stakeholders. However, Security Bulletins are provided “as-is” with no express or implied warranty and Acuity Brands does not represent that Security Bulletins are complete or accurate. Readers are responsible for confirming the accuracy of the information set forth in Security Bulletins, determining the applicability of the information to their installation, and taking whatever resulting action they may deem necessary, if any.
This policy covers all software and firmware sold by Acuity Brands. This includes, but is not limited to, the products sold under the following brands: Atrius™, DGLogik™, Dark To Light® (DTL), Distech Controls®, EldoLED®, Fresco™, Holophane®, IOTA®, nLight®, nLight® AIR, ROAM®, SensorSwitch™, Synergy®, and XPoint Wireless®.