Effective Date: July 20, 2011
At HTC, we recognize how important it is to protect your privacy and security. We understand that secure products are essential in maintaining the trust you place in us to provide products and services to you.
These products are more and more a combination of HTC innovations and the partners we work with. Securing the overall system is thus a joint effort involving us, our partners, and external security enthusiasts.
We believe in and follow a philosophy of Responsible Disclosure which places the end-consumer’s interests first. Responsible Disclosure involves privately notifying our partners of any security vulnerabilities, allowing them to diligently close the vulnerabilities before disclosing them fully. While the vulnerability is being closed we will advise consumers of a potential risk only in a way which does not increase the overall risk to end-consumers.
In the case of security vulnerabilities identified in our products and services, we encourage the reporting party to also place the end-consumers’ interests first and apply the philosophy of Responsible Disclosure.
If you believe you have discovered a security vulnerability in an HTC product or service or have a security incident to report, please email: firstname.lastname@example.org. Please include a detailed summary of the issue, including the name of the product and the nature of the issue you discovered. Be sure to include an email address where we can reach you in case we need more information.
We believe that privately notifying vendors about vulnerabilities in their software, and setting reasonable disclosure deadlines in accordance with the severity of the bugs, is good for the overall security of our end-consumers.
We take security issues seriously and will respond swiftly to fix verified security issues. Some of our products are complex and take time to update. When properly notified of legitimate issues, we’ll do our best to acknowledge your emailed report, assign resources to investigate the issue, and fix potential problems as quickly as possible.
Mobile Device software requires significantly more time to correct than Internet based services. Mobile Devices require carrier and government certification and software updates to end-consumer devices quite often have to be delivered in waves due to constraints in carrier networks. As such investigating, correcting, certifying and initiating deployment of a mobile device based correction takes time. The length of time can vary greatly depending on the complexity of the vulnerability.
Upon the request of the security professional that has reported a verified security issue, we will do our best to provide updates on our progress addressing the issue to give confidence that we are addressing the vulnerability responsibly.
The combined contributions of all security professionals in the community are essential to keep the community secure. We thank everyone in the community for their continued efforts.