Support & Downloads

Brother PSIRT Vulnerability Disclosure Policy

 

 

This policy describes how customers and security researchers report vulnerabilities to Brother (“Brother”, “we”, ”us” or “our”) and our support.

Scope of vulnerability report

Vulnerability related to our products, software, and cloud services is subject to vulnerability report in accordance with this Policy.

We do not accept reports for the following:

• Unsupported products (trial versions, end of support life products)
• Non-reproducible vulnerabilities
• Disclosed vulnerabilities
• Non-exploitable vulnerabilities
• Volumetric/Denial of Service vulnerabilities (i.e.,. simply overwhelming our service with a high volume of requests)
• TLS configuration weaknesses (e.g., "weak" cipher suite support or the presence of TLS 1.0 support, sweet32, BEAST, etc.)
• Social Engineering Attacks
• Security Bugs in third party websites that integrate with the Products
• Reports indicating that the Products do not fully align with "best practices" such as missing security headers

Reporting a vulnerability

Please use the report form on our website at the link below to report vulnerability related to our products, software, and cloud services.
Report a potential security vulnerability to Brother PSIRT (English only)

To triage and prioritize your report, please provide the following information:

• Product name, software version and functionality/network protocol where vulnerabilities have been discovered
• Potential impact if vulnerabilities are exploited
• A detailed description of the steps to reproduce the vulnerability

Brother PSIRT is the contact point for inquiries regarding product vulnerabilities. Please note that we may not be able to respond to inquiries that are not related to vulnerabilities.
Regarding inquiries unrelated to vulnerabilities, please contact your local Brother call center or the dealer where you purchased the product. Please refer to Brother’s website for contact information.

We do not intend to take legal action against security researchers who attempt to verify security flaws or vulnerabilities in our products, software, or cloud services, as long as the following conditions are met:

• The testing or investigation is conducted in good faith for the sole purpose of identifying security flaws or vulnerabilities, with care taken to avoid causing any harm to individuals or us
• Any information derived from such activities is used primarily to improve the security or safety of our products or their users

However, even if the purpose of such activities is to verify security flaws or vulnerabilities, the following activities are prohibited:

• Any verification equivalent to DoS or DDoS attacks, or any other activities that disrupt access to, or damage systems or data
• Physical testing such as unauthorized entry into our offices or premises, tailgating, social engineering, or any other non-technical vulnerability testing
• Attempts to access or alter accounts or information other than your own

Our response after receiving a report

We will acknowledge receipt of the report within 7 days after receiving a report regarding a vulnerability for our products, software, or cloud services. In some cases, a representative from the Brother sales company in your region may contact you regarding the report. To facilitate this communication, we may share the personal information which you provided to the Brother PSIRT Vulnerability Reporting Contact with the Brother sales company. Please review our privacy policy for information on how we handle personal information.

The information you report will be managed by Brother PSIRT, which will investigate the issue in cooperation with our development department. Once we have confirmed whether the vulnerability exists in our product, we will contact you again using the email address you provided.

If the reported vulnerability is confirmed to be a new issue affecting our products, software, or cloud services, the relevant departments will comprehensively determine the response policy and schedule, and proceed with appropriate measures.

When the reported vulnerability is resolved, we will coordinate with the reporter and relevant parties to set a date for publication of a security advisory, ensuring that our customers can take appropriate measures. As soon as we complete the preparation for public disclosure, we will publish the security advisory on our website.

Bug bounty

We do not offer a paid bug bounty program, regardless of the content of the report.