Product Security Policy
Last updated: 5/15/2026
1. Introduction
Hitron Technologies designs and manufactures connected network products including DOCSIS cable modems and gateways, fibre (PON) ONTs, Wi-Fi routers, and 5G fixed-wireless access devices. We take the security of these products seriously and welcome reports from security researchers, customers, operators, and members of the public who identify potential vulnerabilities.
This policy describes:
- How to report a suspected security issue to Hitron;
- What to expect from us after you report;
- The protections we extend to good-faith security researchers; and
- The defined support periods during which Hitron commits to providing security updates for in-scope products.
This policy is published in compliance with the United Kingdom’s Product Security and Telecommunications Infrastructure (PSTI) Act 2022 , the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (as amended), and aligns with international standards including ETSI EN 303 645, ISO/IEC 29147 (vulnerability disclosure), and ISO/IEC 30111 (vulnerability handling processes).
2. How to Report a Security Issue
2.1 Reporting Contacts
| Region | |
|---|---|
| United Kingdom (PSTI-regulated reports) | [email protected] |
| All other regions | [email protected] |
If you are unsure which address applies, send your report to [email protected] and we will route it appropriately.
A machine-readable disclosure record is published per RFC 9116 at:
- https://hitrontech.com/.well-known/security.txt
- https://us.hitrontech.com/.well-known/security.txt
- https://eu.hitrontech.com/.well-known/security.txt
2.2 Encrypted Communication
Sensitive reports may be encrypted using our PGP public key, available at:
- https://hitrontech.com/.well-known/security-pubkey.asc
- https://us.hitrontech.com/.well-known/security-pubkey.asc
- https://eu.hitrontech.com/.well-known/security-pubkey.asc
Key User ID: Hitron Technologies Product Security
Fingerprint: 7452 2997 F197 DE1A 77C1 671B 6FD7 F578 34B1 9FB3
2.3 What to Include in Your Report
To help us triage and resolve issues quickly, please include where possible:
- Affected product model(s) and hardware revision;
- Firmware version (visible in the product’s web UI under Status or System Information);
- A clear description of the vulnerability and its potential impact;
- Step-by-step reproduction instructions, including any required network conditions;
- Proof-of-concept code, screenshots, packet captures, or logs as applicable;
- Whether the issue has been disclosed to any other party (CERT, operator, broker, etc.);
- Your preferred name (or pseudonym) for acknowledgment, and whether you wish to remain anonymous.
You may submit reports in English or French.
3. What to Expect from Hitron
When you submit a report, Hitron commits to the following process. These commitments apply to all reports and form the basis of our compliance with Schedule 1, Paragraph 2 of the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (as amended), as well as ISO/IEC 29147.
3.1 Acknowledgment
We will acknowledge receipt of your report within three (3) business days.
3.2 Triage and Validation
Within fifteen (15) business days of acknowledgment, we will provide an initial assessment indicating whether the report has been validated, requires additional information, or has been determined to be out of scope. During triage we may contact you for clarification or additional reproduction details.
3.3 Status Updates
Until the issue is resolved or the case is closed, we will provide status updates at least every thirty (30) days, including any change in severity assessment, remediation timeline, or coordination status.
3.4 Resolution Targets
Hitron will make commercially reasonable efforts to meet the target remediation timelines, measured from validation of the issue, as set out below:
| Severity (CVSS v3.1) | Target |
|---|---|
| Critical (9.0–10.0) | 30 days |
| High (7.0–8.9) | 60 days |
| Medium (4.0–6.9) | 90 days |
| Low (0.1–3.9) | 180 days, or next scheduled release |
These timelines are indicative and non‑binding and may be extended at Hitron’s discretion, including but not limited to circumstances where remediation requires coordination with silicon vendors, upstream open-source projects, telecommunications operators, or CERT bodies.
3.5 Coordinated Disclosure
Hitron’s products are predominantly supplied to network operators who deploy them to end users under operator-controlled provisioning. Remediation of validated vulnerabilities is therefore coordinated with the affected operator(s) and, where applicable, with relevant industry coordination bodies.
Public disclosure will normally occur once a remediating firmware release is available and has been distributed to affected operators. Hitron supports a default coordinated disclosure window of 90 days from the date of validation, which may be extended by mutual agreement when remediation is materially complex or where operator deployment timelines require additional time.
4. Safe Harbor for Security Researchers
Hitron will not initiate or support legal action against security researchers who, in good faith:
- Investigate and report vulnerabilities in Hitron products in accordance with this policy;
- Make a reasonable, good-faith effort to avoid privacy violations, service disruption, or destruction of data;
- Refrain from accessing data belonging to other users or operators beyond the minimum necessary to demonstrate the vulnerability;
- Refrain from publicly disclosing the vulnerability before Hitron has had a reasonable opportunity to remediate, in line with Section 3.5; and
- Refrain from extortion, demands for payment in exchange for non-disclosure, or trafficking in vulnerability details.
This safe harbor extends only to actions directed at Hitron products and infrastructure. It does not authorise activity against networks operated by Hitron’s customers (for example, cable or fibre operators) or third parties. Researchers should ensure their testing is conducted on equipment they own or are explicitly authorised to test.
Hitron does not currently operate a paid bug bounty programme. We will provide written confirmation of the disclosure for researchers who request it for portfolio or CV purposes.
5. Out of Scope
The following are generally considered out of scope for this policy:
- Reports of vulnerabilities in products that have reached end-of-support (see Section 7);
- Findings from automated scanners without demonstrable impact;
- Denial-of-service attacks against Hitron infrastructure or products;
- Social engineering of Hitron employees, customers, or vendors;
- Physical attacks against Hitron offices or facilities;
- Issues requiring privileged local access where such access is by design (for example, debug console access on devices opened with non-standard tools);
- Theoretical vulnerabilities without a demonstrated attack path;
- Best-practice deviations (TLS configuration, header presence) without demonstrable security impact;
- Vulnerabilities in third-party services (cloud platforms, partner sites) that are not operated by Hitron.
If you are uncertain whether a finding is in scope, please report it; we would rather receive an out-of-scope report than miss a real issue.
6. Privacy and Confidentiality
Hitron treats all vulnerability reports as confidential. We will not share your identity, contact details, or the technical details of your report outside Hitron without your explicit consent, except where required for coordinated remediation (for example, with affected operators or CERT bodies under embargo) or where compelled by law.
Personal information provided in connection with a report is processed in accordance with the Hitron Privacy Policy at https://hitrontech.com/legal/privacy-policy/.
7. Product Security Update Support
Hitron commits to providing security updates for in-scope consumer connectable products during the defined support periods listed below. These periods are published in compliance with the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (as amended) Schedule 1, paragraph 3 (defined support period) and run from the date the product is first made available on the relevant market.
In accordance with PSTI:
- The defined support period for any product will not be shortened after publication.
- If the support period is extended, the new period will be published as soon as reasonably practicable.
- Within the defined support period, Hitron will assess and address security issues affecting the product, and where remediation is feasible, will issue firmware updates through the appropriate distribution channel (typically the network operator or service provider).
7.1 Defined Support Periods (UK / PSTI-regulated products)
| Product | Defined support until (DD/MM/YYYY) |
|---|---|
| CHITA | 31/12/2026 |
7.2 Distribution of Updates
Hitron’s products are typically supplied to network operators (cable MSOs, fibre ISPs, and mobile network operators) who manage firmware distribution to end users via operator-controlled provisioning systems. Where a security update is issued, Hitron makes it available to the relevant operator; subsequent deployment to end users is governed by the operator’s own update cadence.
8. UK PSTI Statutory Information
This section consolidates the statutory information and timescales Hitron is required to define and publish under the UK’s Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (as amended)
.
- Point of contact for reporting security issues: [email protected]
- Acknowledgment commitment: within three (3) business days of receipt (Section 3.1).
- Status update commitment: at least every thirty (30) days until resolution (Section 3.3).
- Defined minimum security update period: see the table in Section 7.1.
- Passwords: Hitron products subject to the PSTI regime do not use universal default passwords. Devices are shipped with unique per-device default credentials or require user-defined credentials at first setup, in compliance with the PSTI password requirements.
A statement of compliance accompanies in-scope products as required by the regulations.
For background on the PSTI regime: https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime
9. Updates to this Policy
Hitron may update this policy from time to time. Material changes will be reflected by the Last updated date at the top of the page. Defined support periods, once published, will not be shortened.
10. Contact
For all matters relating to product security:
- General / International: [email protected]
- United Kingdom (PSTI): [email protected]
Encrypted submissions are accepted; see Section 2.2 for the public key.