ACCO Brands Product Security Vulnerability Disclosure Policy
Introduction
ACCO Brands Corporation, including its affiliates, is committed to the security of our products and the privacy of our valued customers. We continuously strive to improve our safeguards for security and personal information in accordance with all applicable laws and regulations. This policy outlines the procedures for reporting security vulnerabilities to ACCO Brands, describes how vulnerability reports will be handled once we receive them, and what you can expect once we receive your report. We welcome reports from our customers and security researchers regarding potential product-related security or privacy issues and vulnerabilities.
Handling Vulnerability Reports
ACCO Brands appreciates all contributions to our security initiatives and encourages the responsible disclosure of potential product-related security or privacy issues. Our goal is to ensure remedies and/or mitigating strategies designed to address these security or privacy issues are timely implemented.
However, we kindly request that you bear in mind the following when investigating or reporting any issues:
- Do not attempt to access or modify any ACCO Brands systems, products, or software without authorization.
- Do not modify, destroy, or misuse any data you discover; and
- We request that you please keep all non-public information relating to the reported issues confidential until we have remedied and addressed the issues. We make this request to protect the integrity of the investigation process, safeguard sensitive company information, ensure the privacy and protection of all individuals involved, and prevent false or misleading information from being disseminated. However, this does not impact your right to report issues via any legally protected channels or mechanisms.
External Communications
Periodically, ACCO Brands publishes security advisories, notices, and information articles to communicate security vulnerabilities that affect our products.
Security advisories are released to provide guidance or instructions on how customers can protect themselves, mitigate, and/or remediate vulnerabilities once ACCO Brands has analyzed and identified solutions.
Security advisories are intended to provide sufficient detail to assess the impact of vulnerabilities and to remedy potentially affected products.
How to Report a Security Vulnerability
Timely identification and reporting of security vulnerabilities is critical to mitigating potential risks to our customers. If you identify a new security vulnerability in an ACCO Brands product, we ask you to report it through the channels listed in this section as soon as possible. All information you report to us is deemed confidential and will be handled with care. Further, any personal data you share with us will be handled consistent with the applicable Privacy Notice.
- For a LucidSound product
- Please email UKPSTI@acco.com - For a PowerA product
- Please email UKPSTI@acco.com
When reporting a potential vulnerability, we ask that you include as much information as possible to help us better understand the nature and scope of the concern, such as:
- Product name and version containing the suspected weakness / vulnerability.
- Environment where the vulnerability can be found (for example: product model number, operating system version, and other related information).
- Step-by-step instructions to reproduce the vulnerability.
- Proof-of-concept or exploit code; and
- Potential impact of the vulnerability.
Once you report a vulnerability, you will receive an email acknowledging receipt of your report within seven business days.
If we are able to reproduce the vulnerability, we will evaluate the severity and impact, and assign it to our product engineers for further action. This process can take some time based on the complexity of the issue and the details provided. If you provide your email address, you will receive periodic updates on the status of your report.
For products that are capable of being updated and are within their defined support period, we will provide a suitable solution to all affected customers once we have resolved the reported issue(s).
Please note that ACCO Brands does not currently offer compensation or bounty payments for reported or substantiated vulnerabilities.
Limitations
ACCO Brands strives to be as transparent as possible by providing information about vulnerability remediation efforts in Security Advisories and related documentation. ACCO Brands does not share verified exploits or proof of concept code for identified vulnerabilities. Additionally, in accordance with industry practices, ACCO Brands does not share test results or proof of concepts from internal security testing, or other types of privileged information, with external entities.
Customer Entitlements: Warranties, Support, and Maintenance
ACCO Brands customers’ entitlements regarding warranties, support, and maintenance are governed solely by the applicable agreement between ACCO Brands and the individual customer. The statements on this web page do not modify, enlarge, or otherwise amend any customer rights or create any additional warranties.
Disclaimer
All aspects of this Product Security Vulnerability Disclosure Policy are subject to change without notice. Response is not guaranteed for any specific issue or class of issues. Your use of the information on this page or materials linked on this page is at your own risk.
Security Advisories, Notices, and Information Articles
- For a LucidSound product
- Visit www.lucidsound.com/security. Informational articles are available at this link when authenticated. - For a PowerA product
- Visit www.powera.com/security. Informational articles are available at this link when authenticated.