Mailing List
Mailing List
Sign Up Here
Like, follow & share: visit DrayTek UK's Facebook page visit DrayTek UK's Twitter page visit DrayTek UK's Linkedin page
DrayTek
VigorSwitch Series


Reporting Suspected Security Vulnerabilities in DrayTek Products

DrayTek, like all other vendors, could potentially have issues or vulnerabilities within their products which may affect security or performance. In the worst case, this could provide a hacker the ability to attack or disrupt your network, connectivity or compromise your LAN.

 

DrayTek has a continuous programme of product improvment covering features, performance and security. We always recommend that you use the latest formal release of firmware for your product which will include new features and security improvements. Always obtain firmware directly from the DrayTek web site.

You may discover a potential issue on one of our products either by accident or because you are testing your own system security (pen testing). You should also be sure to always operate your product securely. Our guide here can help with that.

Real or Theoretical vulnerabilities

A vulnerability may be theoretical, benign in its effect or unlikely to actually occur or be used in the real world or it may be more serious and present
a real-world opportunity for an exploit to be used. In either case, we are committed to investigating any reports and addressing them appropriately.

Vulnerable or Obsolete Protocols & Libraries

Sometimes, a vulnerability may be within an industry standard protocol (e.g. TLS/Poodle) or commonly used library (e.g. Shellshock) and affects all vendors supporting that protocol or using that code. Obsolete protocols may also be 'vulnerable' to hacking due to evolving technology; the solution there is to use the latest protocol (e.g. Use TLS1.2 instead of SSL3 or WPA2 instead of WEP). We provide a reference to some previous common vulnerabilities here.

How to make a report

If you wish to make a disclosure or report to us of a potential vulnerability, please email to This email address is being protected from spambots. You need JavaScript enabled to view it. stating that you have a potential vulnerability or security issue to report. You can also send us a secure email (encrypted between you and our server) using this page (use This email address is being protected from spambots. You need JavaScript enabled to view it. as the recipient). Please do not provide specific details in your initial email/contact - you will be provided with a dedicated contact person to whom you can then send the details.

This disclosure method applies to security vulnerability reports - issues which may affect the security or performance of network data or connectivity if exploited. Regular bugs which do not affect security should be reported by the normal support channels.

Firmware Updates

New firmware may include new features, improvements to existing features, increased security or fixes for bugs or security vulnerabilities such as the type mentioned in this page. We always recommend upgrading to the latest version of firmware at your earliest opportunity and if new firmware is labelled as 'critical' then it includes important fixes and should be upgraded to immediately across all applicable routers. Fixes, particularly those relating to security may sometimes not be described in detail except where it would be helpful to confirm that a publicly known issue has been addressed.  You can get firmware from the downloads page (UK only - for other areas, check your regional office) and also join the owners' mailing list.

PGP Key

If you wish to email draytek.co.uk addresses securely using PGP, here is our public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFet738BCAC8hK9hokMCQZBElDMPtvAjtTkitkY/coFDQRIbdk2rf1VInxJG
GlUIegsymN0oO1zeTTfX9Ut5+BwcdM+YqZo7U2YAmiFVA5p1u8GvMJuEKOTZhmjb
cXfrJ/6WxfAERrWwCVx/COHeTdqYOJ+vOg/pao2yMPt2ZldxxNcl6HI8nVsvO2lp
SjiAmfYtQgnwyIWWx1/tXdpqxHewICYiXsnw7Ztgo3lX1t7hjqCSd9JJOZjj1rjn
k1hFHq30M5lMy/PNEIl9i/DcnSe9LyODhel466j/zuvZNJXk1Q78nTW2FabnTwkK
ixNQK6PLFXp6rEqIQwhzrpc0YmCEyd+3b2exABEBAAG0H0RyYXlUZWsgVUsgPGlu
Zm9AZHJheXRlay5jby51az6JAT8EEwEIACkFAlet738CGwMFCQQEDrEHCwkIBwMC
AQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBy1MDc2OJeljtdB/4rSeoSOJcYnBZ3Da8c
6IeNigyCt5AOyKXqh9mJL8BcK5Mrlkhil0obguSIN7eEfYickfKk7XTu/sRZrQbc
5zJWUuqxlWF9/5fqglC+BucNDGwhELGn8qhhT3EaoCHbXBUMej4uloCMQQSx/HTx
SkW7hhNmQmRxgiKfmMvSB6V5uHxoxJqOzY0PzrYQoKgw3RVI1tHFSgGCN86JD9BY
hAoXyUQYX4d/kRaDiSU7vOQMjct4+AxqqiduvlHyMaej2dgWyvkBzvZtVsR9erBC
PJ8L63YzhostDueC9dfYhQYDQl56eHG0COLS23/x4wpMt/jnByYzLOZUSlHj1ejH
ggxtuQENBFet738BCAC45DKsFIq1CTgTPA34NOpe1FwxJYT0NrS46wAFe3IcqUAn
7osxTmrRLMmxZGrs+ghVgQ0vNGWa7rA1G9XFHaQppvsDdIMIW2NthfNpVwq94Em7
xpp9OnrruSaMFQ+R9awknoLVSqey8azYs01LXFcyU4/DArpChmtq3fjLnak81jTQ
2e3BCUSCaPZjbGiwtWgdjJvPinaffF6BwfJyka4zuKbRuTgWmiyxbHud0upIIiGH
5ckaqWfiLiy6S1VeXfQ5E7QTGsVuAsfVwsa6gqo3GwQx3h1R/pcUygCwwlQLD2Op
Iqpu8UmI19NLWv8d7Emco3N8CxZ8j2V4WWa6vVMjABEBAAGJASUEGAEIAA8FAlet
738CGwwFCQQEDrEACgkQctTA3NjiXpZVxwf+LuXxU08c+p5Xe4KBlO9KJGI2H2WI
gtBB8WM/ZjvnYaUUrtdosMQmCN5UhuzqIAd2emaZjz06fiqOSuvp2H4w+TkhDb2X
JVyuZnDS+v5d0ojF1bN08Oq8ZibFHsnZpr5KYDGu0CH8eJkzaeWkFqA/lUzPIOoe
5fMoXSVN3CmcbKjk8s8uSxgyLFAtYWMG3Hu8QgvR7aVEZWZ7eFLhKEZ0Y56p6D1G
OO0wMQKAyD3+M1S1Ms8/c7j23FBwjEajPhEMj8EIDKQxashepdj8xydVJjHbP9AJ
nJPvLyGcJdof3ina2Rbvm8svNRjVzikCecxHUBibbsCXsXfXCQUiDwcd9A==
=Ifk7
-----END PGP PUBLIC KEY BLOCK-----

 

 




We and, by extension, our greater user community are always grateful for any reports of this nature.




Please note:

  • If you do not receive a reply, please check your spam folders or re-send. We do not ignore reports of this nature.
  • We would normally acknowledge that we have reproduced the issue and that it is being addressed but if we are unable to reproduce it, we may request more information.
  • Once the issue is confirmed, we normally can't provide an immediate time scale for a fix as it will need to be assessed and prioritised by technicians, however we should be able to keep you updated once this is known or give you a work-around in the meantime. Even where a change is relatively simple, any new firmware still have to go through stages of integration, testing and PQA before it can be formally released.
  • In some cases, it may not be possible to explain why something which is perceived as an a bug or vulnerability is actually not. This may be because of other factors which, for security reasons cannot be disclosed. This is not security by obfuscation; we mean a situation where there is another mechanism which prevents the issue from actually being enacted or where other security might be compromised by providing too much detail.
  • Beyond confirming that an improvement/fix is being worked on, or is ready, for security reasons we may not be able to provide details of exactly how that issue has been addressed.
  • We do not support, encourage or permit the reverse-engineering of our products or code.