Group 10174

Intelsat Vulnerability Disclosure Policy

Introduction

At Intelsat, the security and privacy of our customers is a top priority. We value the contributions of security researchers and other third parties who help us identify and fix vulnerabilities in our products and services.

If you believe you have discovered a vulnerability in one of our products or services, a privacy issue, exposed data, or other security issues in any of our assets, we encourage you to report it to us as soon as possible. This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

In-Scope Systems

This policy applies to any digital assets owned, operated, or maintained by Intelsat (include its affiliates, such as Wifi Onboard, formerly known as Gogo Air CA).

Out of Scope

  • Assets or other equipment not owned by parties participating in this policy.

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority. If you are unsure whether a system is in scope for this policy or owned by Intelsat, please contact us at [email protected] before starting your research.

Intelsat’s Commitment to Researchers

As long as you act in good faith, according to the guidelines in this policy, we will make our best effort to:

  • Provide an initial response to your vulnerability report within three (3) business days and work with you to understand and validate your report
  • Determine if we will accept (intend to fix) or reject (identify your report as a false positive or acceptable risk) your vulnerability report within ten (10) business days
  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints
  • Keep you up to date on progress towards remediation of reports we accept from you
  • Extend Safe Harbor for your vulnerability research that is related to this policy

What We Expect from You

In participating in our vulnerability disclosure program in good faith, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements; if there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail
  • Report any vulnerability you’ve discovered as soon as possible
  • Do not violate the privacy or safety of others, disrupt our systems, exfiltrate or destroy data, and/or harm user experience
  • Do not intentionally compromise the intellectual property or other commercial or financial interests of any Intelsat personnel or entities, or any third parties
  • Do not engage in social engineering or physical testing of facilities or resources
  • Do not send unsolicited electronic mail to Intelsat users, contractors, or employees, including “phishing” messages or introduce malicious software
  • Do not perform testing that results in denial of service conditions or degradation of our production services
  • Use only the Reporting Channels described in this policy to discuss vulnerability information with us
  • Do not delete, alter, share, retain, or destroy Intelsat data, or render Intelsat data inaccessible
  • Do not publicly disclose the vulnerability or share it with anyone else until it has been fixed (we will work promptly to fix any identified vulnerabilities and expect most to be fixed within ninety (90) days, but depending on the complexity of the issue and our operational constraints it may take longer). If it should take longer than 90 days, we will contact you in advance.
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope
  • Do not attempt to exploit the vulnerability or access any sensitive data without permission
  • Do not intentionally cause any damage or disruption to our systems or services
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence; do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information
  • Purge any stored Intelsat nonpublic data upon reporting a vulnerability
  • You should only interact with test accounts you own or with explicit permission from the account holder
  • Do not engage in extortion

Reporting Channels

Please report security issues via [email protected], providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

Reporting a Vulnerability

When you report a vulnerability, provide a description of the issue including where it was discovered and steps to reproduce it. You may also provide proof of concept scripts or screenshots.

Safe Harbor

When conducting vulnerability research, according to this policy, we consider the research conducted under this policy to be:

  • Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy
  • Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls
  • Exempt from restrictions in our Terms of Services and Acceptable Use Policy (TOU) that would interfere with conducting security research, and we waive those restrictions on a limited basis
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report or question through one of our Reporting Channels before going any further.

Note that the Safe Harbor applies only to legal claims under Intelsat’s control; this policy does not bind independent third parties.

Scroll to Top