Security Vulnerability Disclosure Policy
SECURITY VULNERABILITY DISCLOSURE POLICY
Purpose
Lytx, Inc. (“Lytx”) is committed to maintaining the security of our connected products. This policy establishes the framework for the responsible disclosure and management of security vulnerabilities in our products and services, in accordance with the UK Product Security and Telecommunications Infrastructure (“PSTI”) Act. The policy aligns with Lytx’s internal policies and aims to encourage responsible reporting, ensure timely remediation, and foster transparency and collaboration between our organization and customers, and other stakeholders.
Scope
This policy applies to all relevant connected consumer products manufactured, sold or supplied by Lytx that are intended for consumer use in the United Kingdom, as defined under the UK PSTI Act.
How to Report a Security Vulnerability
We encourage responsible reporting of suspected security vulnerabilities in our products or services. Although we do not offer monetary rewards for vulnerability disclosures, we will provide appropriate recognition for the responsible reporting of verified security vulnerabilities.
Security vulnerabilities should be reported via email to security@lytx.com.
When reporting a security vulnerability, please provide:
- Product name and model
- Firmware/software version (if known)
- Description of the vulnerability or security defect
- Steps to reproduce the issue
- Potential impact (if known)
- Any proof-of-concept or supporting materials
You may report anonymously, although providing contact information helps us investigate more effectively. When investigating a suspected vulnerability, do not:
- Access, modify or delete data belonging to others
- Conduct actions that degrade service or harm device performance
- Use automated tools that generate excessive traffic
Acknowledgement & Communication
We will acknowledge receipt of a vulnerability report within five (5) business days.
We will provide status updates at appropriate intervals while the issue is under investigation. We will notify the reporter when the vulnerability is resolved or mitigated, where contact details are provided.
Investigation & Remediation
Upon receipt of a vulnerability report, Lytx will:
- Validate and assess the vulnerability
- Determine severity and potential impact
- Develop and test appropriate mitigations or fixes
- Deploy security updates where necessary
- Communicate relevant information to affected users as necessary
We aim to address confirmed vulnerabilities in a timely and proportionate manner, based on severity and risk.
Coordinated Disclosure
We request that reporters:
- Allow reasonable time for investigation and remediation, and do not publicly disclose vulnerabilities prior to our coordinated public advisory or the release of a fix
- Avoid exploiting vulnerabilities or accessing user data
- Comply with applicable laws and regulations
Lytx will not pursue legal action against individuals who report vulnerabilities in good faith and in accordance with this policy. Actions must be limited to testing on products and services owned by the reporter or with explicit permission, and must not compromise user data, privacy, or service availability.
Security Update Support Periods
Lytx will provide security update support from each product covered by UK PSTI, including the AI-14 and SF400, for two (2) years from the date of first market availability in the UK.