Vulnerability Disclosure Policy
Compliance Statement | DCN# 05V-SVOGEN-01 | Revision A | March 16, 2026
Vulnerability Disclosure Policy
1. Purpose and Scope
VOXMICRO LTD ("VOXMICRO") is committed to the security of its products and welcomes vulnerability reports from security researchers, customers, and the general public. This policy describes how to report security vulnerabilities in AIRETOS and OxfordTEC products and how VOXMICRO will respond.
This Vulnerability Disclosure Policy ("VDP") establishes a coordinated framework for receiving, evaluating, remediating, and disclosing security vulnerabilities in VOXMICRO products and services.
Products Covered
This policy applies to all AIRETOS wireless modules currently within their support period — across all product classes (E20, E92, E95, E98, C27, and future classes), all series (LGA, M.2 E-Key, M.2 B-Key, mPCIe), and all firmware/BSP versions under active support. It also covers OxfordTEC antenna products (limited to physical, connector, and integration issues) and VOXMICRO web properties including airetos.voxmicro.com and voxmicro.com.
Regulatory Basis
This policy is established in compliance with Regulation (EU) 2024/2847 (Cyber Resilience Act), ISO/IEC 29147:2018 (Vulnerability Disclosure), and ISO/IEC 30111:2019 (Vulnerability Handling Processes).
Effective date: March 16, 2026
2. Reporting a Vulnerability
Contact
Email:
vdp+security@voxmicro.com
Web form:
https://www.voxmicro.com/security
Reports are triaged by the VOXMICRO product security team. This mailbox is actively monitored during business hours and checked at least once daily outside business hours.
What to Include
- Product name and manufacturer part number (MPN)
- Firmware or BSP version (if applicable)
- A clear description of the vulnerability
- Steps to reproduce the issue
- Assessment of potential impact (if known)
- Your contact information (name or alias, email)
Detailed and well-structured reports enable faster triage and resolution.
Encryption (Optional)
Reporters may encrypt their submissions using VOXMICRO's PGP public key, available at www.voxmicro.com/security/pgp-key.asc. Encryption is recommended for reports containing sensitive technical details or proof-of-concept code.
Out of Scope
- Social engineering attacks targeting VOXMICRO personnel
- Physical attacks requiring device access beyond normal intended use
- Denial-of-service attacks against VOXMICRO infrastructure
- Vulnerabilities in third-party services not controlled by VOXMICRO
- Reports based on automated scanning tools without manual validation
3. Response Process
Acknowledgment
VOXMICRO aims to acknowledge receipt of a vulnerability report within 5 business days. VOXMICRO is a lean engineering organization; response times may vary with team availability.
Triage and Assessment
Following acknowledgment, VOXMICRO will attempt to reproduce the reported vulnerability, validate it against the affected product(s), assess severity using CVSS 3.1, and assign an internal tracking reference. The reporter will be informed of the triage outcome.
Severity Classification
Critical (CVSS 9.0–10.0): Immediate escalation; remediation prioritized
High (CVSS 7.0–8.9): Priority remediation
Medium (CVSS 4.0–6.9): Scheduled remediation
Low (CVSS 0.1–3.9): Addressed in next maintenance release
Remediation Objectives
The following timelines are objectives reflecting industry best practice, not contractual commitments. Actual timelines depend on vulnerability complexity, upstream vendor coordination, and engineering capacity.
Acknowledgment: 5 business days
Triage and validation: Best effort — reproduce, validate, assign CVSS score
Fix development (VOXMICRO-authored code): Prioritized by severity
Fix integration (upstream chipset firmware): Dependent on IC vendor patch availability
Security update release: Without undue delay after validation — updates provided free of charge per CRA
Public advisory: After embargo period or fix release, whichever occurs later
Vulnerabilities originating in upstream IC vendor chipset firmware are dependent on the vendor's patch release cycle; VOXMICRO's integration begins upon receipt of the upstream fix. VOXMICRO will communicate expected timelines to the reporter and provide periodic status updates.
4. Disclosure Policy
VOXMICRO follows coordinated vulnerability disclosure in accordance with ISO/IEC 29147:2018. Disclosure is coordinated between VOXMICRO, the reporter, and any affected third parties to minimize risk to end users.
Embargo Period
The default embargo period is 90 calendar days from the date a security update becomes available. Early disclosure may occur if the vulnerability is already publicly known, is actively exploited in the wild, or by mutual agreement between the reporter and VOXMICRO.
Public Advisory
Following the embargo period, VOXMICRO publishes a plain-language security advisory at www.voxmicro.com/security/advisories/. Advisories include a description of the vulnerability, affected products and firmware versions, severity rating, remediation steps, and credit to the reporter (unless anonymity is requested).
CVE Assignment
VOXMICRO will request CVE identifiers for confirmed vulnerabilities through the CVE Program. CVE IDs are referenced in all public advisories to enable standardized tracking.
5. Security Update Delivery
Supply Chain Role
VOXMICRO is a B2B component manufacturer. AIRETOS wireless modules are integrated by OEM customers into their end products. VOXMICRO's security update obligation is to make validated firmware and BSP updates available to its OEM customers — not to deliver updates to end-users of OEM products. OEM integrators bear responsibility for incorporating module-level updates into their own product firmware.
Update Process
Security updates are made available as firmware and/or BSP updates through existing customer channels, including direct download and the VOXMICRO engineering support portal. OEM customers are notified of available security updates and strongly recommended to deploy them as soon as possible.
Support Commitments
Support period: Minimum 5 years from product class market introduction, per EU CRA Article 13(6).
Update availability: Minimum 10 years from initial publication, per EU CRA requirements.
Cost: All security updates provided free of charge.
Separation: Where technically feasible, security updates are delivered separately from feature updates.
Upstream Dependency
Security updates addressing vulnerabilities in IC vendor chipset firmware are dependent on the upstream vendor's patch availability. Where upstream patches are delayed, VOXMICRO will communicate the dependency and expected timeline to affected OEM customers and, where possible, implement interim mitigations at the BSP or configuration level.
Rollback and Recovery
Rollback procedures are documented in product-specific release notes. Should a security update introduce a regression, VOXMICRO will provide a corrective update or documented rollback procedure without delay.
6. Regulatory Compliance
EU CRA Reporting Obligations
Effective September 11, 2026, VOXMICRO will comply with the EU Cyber Resilience Act vulnerability reporting obligations:
Early warning: Within 24 hours to national CSIRT and ENISA (actively exploited vulnerability detected)
Full notification: Within 72 hours to national CSIRT and ENISA
Final report: Within 14 days (actively exploited) or 1 month (severe incidents)
Reports are submitted through the EU CRA Single Reporting Platform (SRP) operated by ENISA. VOXMICRO's designated national CSIRT is GR-CSIRT (National CERT of Greece), corresponding to VOXMICRO LTD's main EU establishment in Greece.
7. Researcher Recognition
All reporters who submit valid vulnerability reports are credited by name (or alias of their choice) in the published security advisory, unless anonymity is requested. VOXMICRO maintains a public acknowledgment page at www.voxmicro.com/security/acknowledgments/.
Safe Harbor
VOXMICRO will not pursue legal action against individuals who:
- Discover and report security vulnerabilities in good faith and in compliance with this policy
- Avoid intentional harm to VOXMICRO systems, data, employees, or customers during their research
- Do not exploit a vulnerability beyond the minimum necessary to demonstrate its existence
- Allow VOXMICRO a reasonable period to address the vulnerability before any public disclosure
- Do not violate applicable law in the course of their research
Good-faith security research conducted in accordance with this policy is considered authorized conduct. VOXMICRO will not initiate or support legal proceedings against researchers who comply with these terms.
8. Third-Party Components
Vulnerabilities affecting IC vendor chipset firmware or other third-party components integrated into AIRETOS modules will be reported upstream through the respective vendor's PSIRT channels. VOXMICRO will coordinate disclosure timing with upstream vendors to ensure patches are available across the supply chain before public disclosure.
OEM customers deploying AIRETOS modules are notified of critical and high-severity vulnerabilities via direct communication prior to public advisory publication. VOXMICRO participates in coordinated multi-party disclosure when a shared component vulnerability affects multiple manufacturers.
9. Policy Review and Updates
This policy is reviewed at minimum annually, and additionally upon publication of EU CRA implementing acts, material changes to ENISA guidance, significant changes to VOXMICRO's product portfolio, or lessons learned from vulnerability handling experience.
Material changes will be announced at www.voxmicro.com/security/ with 30 calendar days advance notice where possible.
Document reference: 05V-SVOGEN-01 Rev A | Effective: March 16, 2026
Vulnerability Disclosure Policy
1. Purpose and Scope
VOXMICRO LTD ("VOXMICRO") is committed to the security of its products and welcomes vulnerability reports from security researchers, customers, and the general public. This policy describes how to report security vulnerabilities in AIRETOS and OxfordTEC products and how VOXMICRO will respond.
This Vulnerability Disclosure Policy ("VDP") establishes a coordinated framework for receiving, evaluating, remediating, and disclosing security vulnerabilities in VOXMICRO products and services.
Products Covered
This policy applies to all AIRETOS wireless modules currently within their support period — across all product classes (E20, E92, E95, E98, C27, and future classes), all series (LGA, M.2 E-Key, M.2 B-Key, mPCIe), and all firmware/BSP versions under active support. It also covers OxfordTEC antenna products (limited to physical, connector, and integration issues) and VOXMICRO web properties including airetos.voxmicro.com and voxmicro.com.
Regulatory Basis
This policy is established in compliance with Regulation (EU) 2024/2847 (Cyber Resilience Act), ISO/IEC 29147:2018 (Vulnerability Disclosure), and ISO/IEC 30111:2019 (Vulnerability Handling Processes).
Effective date: March 16, 2026
2. Reporting a Vulnerability
Contact
Email:
vdp+security@voxmicro.com
Web form:
https://www.voxmicro.com/security
Reports are triaged by the VOXMICRO product security team. This mailbox is actively monitored during business hours and checked at least once daily outside business hours.
What to Include
- Product name and manufacturer part number (MPN)
- Firmware or BSP version (if applicable)
- A clear description of the vulnerability
- Steps to reproduce the issue
- Assessment of potential impact (if known)
- Your contact information (name or alias, email)
Detailed and well-structured reports enable faster triage and resolution.
Encryption (Optional)
Reporters may encrypt their submissions using VOXMICRO's PGP public key, available at www.voxmicro.com/security/pgp-key.asc. Encryption is recommended for reports containing sensitive technical details or proof-of-concept code.
Out of Scope
- Social engineering attacks targeting VOXMICRO personnel
- Physical attacks requiring device access beyond normal intended use
- Denial-of-service attacks against VOXMICRO infrastructure
- Vulnerabilities in third-party services not controlled by VOXMICRO
- Reports based on automated scanning tools without manual validation
3. Response Process
Acknowledgment
VOXMICRO aims to acknowledge receipt of a vulnerability report within 5 business days. VOXMICRO is a lean engineering organization; response times may vary with team availability.
Triage and Assessment
Following acknowledgment, VOXMICRO will attempt to reproduce the reported vulnerability, validate it against the affected product(s), assess severity using CVSS 3.1, and assign an internal tracking reference. The reporter will be informed of the triage outcome.
Severity Classification
Critical (CVSS 9.0–10.0): Immediate escalation; remediation prioritized
High (CVSS 7.0–8.9): Priority remediation
Medium (CVSS 4.0–6.9): Scheduled remediation
Low (CVSS 0.1–3.9): Addressed in next maintenance release
Remediation Objectives
The following timelines are objectives reflecting industry best practice, not contractual commitments. Actual timelines depend on vulnerability complexity, upstream vendor coordination, and engineering capacity.
Acknowledgment: 5 business days
Triage and validation: Best effort — reproduce, validate, assign CVSS score
Fix development (VOXMICRO-authored code): Prioritized by severity
Fix integration (upstream chipset firmware): Dependent on IC vendor patch availability
Security update release: Without undue delay after validation — updates provided free of charge per CRA
Public advisory: After embargo period or fix release, whichever occurs later
Vulnerabilities originating in upstream IC vendor chipset firmware are dependent on the vendor's patch release cycle; VOXMICRO's integration begins upon receipt of the upstream fix. VOXMICRO will communicate expected timelines to the reporter and provide periodic status updates.
4. Disclosure Policy
VOXMICRO follows coordinated vulnerability disclosure in accordance with ISO/IEC 29147:2018. Disclosure is coordinated between VOXMICRO, the reporter, and any affected third parties to minimize risk to end users.
Embargo Period
The default embargo period is 90 calendar days from the date a security update becomes available. Early disclosure may occur if the vulnerability is already publicly known, is actively exploited in the wild, or by mutual agreement between the reporter and VOXMICRO.
Public Advisory
Following the embargo period, VOXMICRO publishes a plain-language security advisory at www.voxmicro.com/security/advisories/. Advisories include a description of the vulnerability, affected products and firmware versions, severity rating, remediation steps, and credit to the reporter (unless anonymity is requested).
CVE Assignment
VOXMICRO will request CVE identifiers for confirmed vulnerabilities through the CVE Program. CVE IDs are referenced in all public advisories to enable standardized tracking.
5. Security Update Delivery
Supply Chain Role
VOXMICRO is a B2B component manufacturer. AIRETOS wireless modules are integrated by OEM customers into their end products. VOXMICRO's security update obligation is to make validated firmware and BSP updates available to its OEM customers — not to deliver updates to end-users of OEM products. OEM integrators bear responsibility for incorporating module-level updates into their own product firmware.
Update Process
Security updates are made available as firmware and/or BSP updates through existing customer channels, including direct download and the VOXMICRO engineering support portal. OEM customers are notified of available security updates and strongly recommended to deploy them as soon as possible.
Support Commitments
Support period: Minimum 5 years from product class market introduction, per EU CRA Article 13(6).
Update availability: Minimum 10 years from initial publication, per EU CRA requirements.
Cost: All security updates provided free of charge.
Separation: Where technically feasible, security updates are delivered separately from feature updates.
Upstream Dependency
Security updates addressing vulnerabilities in IC vendor chipset firmware are dependent on the upstream vendor's patch availability. Where upstream patches are delayed, VOXMICRO will communicate the dependency and expected timeline to affected OEM customers and, where possible, implement interim mitigations at the BSP or configuration level.
Rollback and Recovery
Rollback procedures are documented in product-specific release notes. Should a security update introduce a regression, VOXMICRO will provide a corrective update or documented rollback procedure without delay.
6. Regulatory Compliance
EU CRA Reporting Obligations
Effective September 11, 2026, VOXMICRO will comply with the EU Cyber Resilience Act vulnerability reporting obligations:
Early warning: Within 24 hours to national CSIRT and ENISA (actively exploited vulnerability detected)
Full notification: Within 72 hours to national CSIRT and ENISA
Final report: Within 14 days (actively exploited) or 1 month (severe incidents)
Reports are submitted through the EU CRA Single Reporting Platform (SRP) operated by ENISA. VOXMICRO's designated national CSIRT is GR-CSIRT (National CERT of Greece), corresponding to VOXMICRO LTD's main EU establishment in Greece.
7. Researcher Recognition
All reporters who submit valid vulnerability reports are credited by name (or alias of their choice) in the published security advisory, unless anonymity is requested. VOXMICRO maintains a public acknowledgment page at www.voxmicro.com/security/acknowledgments/.
Safe Harbor
VOXMICRO will not pursue legal action against individuals who:
- Discover and report security vulnerabilities in good faith and in compliance with this policy
- Avoid intentional harm to VOXMICRO systems, data, employees, or customers during their research
- Do not exploit a vulnerability beyond the minimum necessary to demonstrate its existence
- Allow VOXMICRO a reasonable period to address the vulnerability before any public disclosure
- Do not violate applicable law in the course of their research
Good-faith security research conducted in accordance with this policy is considered authorized conduct. VOXMICRO will not initiate or support legal proceedings against researchers who comply with these terms.
8. Third-Party Components
Vulnerabilities affecting IC vendor chipset firmware or other third-party components integrated into AIRETOS modules will be reported upstream through the respective vendor's PSIRT channels. VOXMICRO will coordinate disclosure timing with upstream vendors to ensure patches are available across the supply chain before public disclosure.
OEM customers deploying AIRETOS modules are notified of critical and high-severity vulnerabilities via direct communication prior to public advisory publication. VOXMICRO participates in coordinated multi-party disclosure when a shared component vulnerability affects multiple manufacturers.
9. Policy Review and Updates
This policy is reviewed at minimum annually, and additionally upon publication of EU CRA implementing acts, material changes to ENISA guidance, significant changes to VOXMICRO's product portfolio, or lessons learned from vulnerability handling experience.
Material changes will be announced at www.voxmicro.com/security/ with 30 calendar days advance notice where possible.
Document reference: 05V-SVOGEN-01 Rev A | Effective: March 16, 2026
pgp-key.asc
Download