Vulnerability Disclosure Policy

Lantronix, Inc.

Overview

At Lantronix, Inc., our dedication to the safety and security of our products is at the core of everything we do. When vulnerabilities are discovered, we work with all necessary partners to address and resolve them, either through technical support or firmware and software updates. The following document describes the reporting of vulnerabilities between Lantronix and its customers.

Reporting Vulnerabilities to Lantronix

If you have identified a potential vulnerability or would like the status of a known vulnerability (e.g., a CVE), please contact the Lantronix Technical Services team at [email protected]. If the vulnerability is known to Lantronix, you will receive a reply with a determination of whether the reported issue affects our products (‘affected’) or not (‘unaffected’), along with any remedial action necessary.

As part of our commitment to a swift and efficient response, Lantronix will make every effort to investigate the vulnerability within five business days and provide a determination within ten business days.

 

Potential Sections

Privacy Policy

When submitting a vulnerability report, please refrain from including any sensitive information about yourself or your customers. This helps ensure the safety and privacy of all parties involved. Rest assured, Lantronix is committed to protecting the confidentiality of the information you provide, adhering strictly to data protection guidelines to safeguard your data.

Security Advisories

Any security advisories related to our products will be posted at lantronix.com, under Security Advisories in the Technical Support section.

We typically issue advisories when a workaround or fix has been determined for a specific vulnerability. Our goal is to address vulnerabilities within 90 days of initial reporting.

Grading Impact

Lantronix’s adherence to industry-standard practices for measuring and reporting the potential impact of vulnerabilities, following the current version of the Common Vulnerability Scoring System (CVSS), ensures that you are always well-informed and secure.

Our advisories not only list known Lantronix products affected by the vulnerability but also provide the appropriate path for obtaining a fix or workaround. This proactive approach is our way of supporting you and ensuring your peace of mind. While we strive to list all affected versions, variations in product versions shipped by OEM partners may result in Lantronix being unaware of the complete list. Please reach [email protected] for more information.

Support Period

Lantronix is committed to assist and inform customers when a security vulnerability is reported in a Lantronix product.  Our goal is to provide a clear and consistent resource to help customers understand Lantronix’s response to such events.

Lantronix adheres to strict Lantronix Vulnerability Management process.  Any customer reported CVE will be investigated, analyzed, and a path to resolution will be provided to the customer when:

• The product is within its Last Day of Warranty Support as defined in Lantronix’s PCN.
• The customer has purchased Extended Warranty and it has not expired
• Customers without Extended Warranty will be offered the option of purchasing a one time upgrades for their deployments.

Furthermore, Lantronix reserves the right to offer free software updates for selected products determined solely at the discretion of Lantronix.

—

**Version History:**

Version 2.0 – March 2025

**Disclaimer:**

Lantronix reserves the right to revise this Vulnerability Disclosure Policy at any time without prior notice. The most current version will always be available on our website. By reporting a vulnerability, you agree to the terms set forth in this policy.