Support & Downloads

Brother PSIRT Vulnerability Disclosure Policy

 

 

This policy describes how customers and security researchers report vulnerabilities to Brother (“Brother”, “we”, ”us” or “our”) and our support.

Scope of vulnerability report

Vulnerability related to our products, software, and cloud services is subject to vulnerability report in accordance with this Policy.

We do not accept reports for the following:

• Unsupported products (trial versions, end of support life products)
• Non-reproducible vulnerabilities
• Disclosed vulnerabilities
• Non-exploitable vulnerabilities
• Volumetric/Denial of Service vulnerabilities (i.e.,. simply overwhelming our service with a high volume of requests)
• TLS configuration weaknesses (e.g., "weak" cipher suite support or the presence of TLS 1.0 support, sweet32, BEAST, etc.)
• Social Engineering Attacks
• Security Bugs in third party websites that integrate with the Products
• Reports indicating that the Products do not fully align with "best practices" such as missing security headers

Reporting a vulnerability

Please use the report form on our website at the link below to report vulnerability related to our products, software, and cloud services.
Report a potential security vulnerability to Brother PSIRT (English only)

To triage and prioritize your report, please provide the following information:

• Product name, software version and functionality/network protocol where vulnerabilities have been discovered.
• Potential impact if vulnerabilities are exploited.
• A detailed description of the steps to reproduce the vulnerability

Brother PSIRT is the contact point for inquiries regarding product vulnerabilities. Please note that we may not be able to respond to inquiries that are not related to vulnerabilities.
Regarding inquiries unrelated to vulnerabilities, please contact your local Brother call center or the dealer where you purchased the product. Please refer to Brother’s website for contact information.

Our response after receiving a report

We will acknowledge receipt of the report within 7 days after receiving a report regarding a vulnerability for our products, software, or cloud services. In some cases, a representative from the Brother sales company in your region may contact you regarding the report. To facilitate this communication, we may share the personal information which you provided to the Brother PSIRT Vulnerability Reporting Contact with the Brother sales company. Please review our privacy policy for information on how we handle personal information.

Our development department responsible for the relevant product will review the reported vulnerability to confirm if it is a new vulnerability. Once we have confirmed whether the vulnerability exists in our product, we will contact you again using the email address you provided.

When the reported vulnerability is resolved, we will coordinate with the reporter and relevant parties to set a date for publication of a security advisory, ensuring that our customers can take appropriate measures. As soon as we complete the preparation for public disclosure, we will publish the security advisory on our website.

Bug bounty

We do not offer a paid bug bounty program, regardless of the content of the report.