Vulnerability / Exploit Reporting for DrayTek Products

VigorSwitch Series

Reporting Suspected Security Vulnerabilities in DrayTek Products

DrayTek, like all other vendors, could potentially have issues or vulnerabilities within their products which may affect security or performance. In the worst case, this could provide a hacker the ability to attack or disrupt your network, connectivity or compromise your LAN.

DrayTek has a continuous programme of product improvment covering features, performance and security. We always recommend that you use the latest formal release of firmware for your product which will include new features and security improvements. Always obtain firmware directly from the DrayTek web site.

You may discover a potential issue on one of our products either by accident or because you are testing your own system security (pen testing). You should also be sure to always operate your product securely. Our guide here can help with that.

Real or Theoretical vulnerabilities

A vulnerability may be theoretical, benign in its effect or unlikely to actually occur or be used in the real world or it may be more serious and present
a real-world opportunity for an exploit to be used. In either case, we are committed to investigating any reports and addressing them appropriately.

Vulnerable or Obsolete Protocols & Libraries

Sometimes, a vulnerability may be within an industry standard protocol (e.g. TLS/Poodle) or commonly used library (e.g. Shellshock) and affects all vendors supporting that protocol or using that code. Obsolete protocols may also be 'vulnerable' to hacking due to evolving technology; the solution there is to use the latest protocol (e.g. Use TLS1.2 instead of SSL3 or WPA2 instead of WEP). We provide a reference to some previous common vulnerabilities here.

How to make a report

You can refer to our Vulnerability Disclosure Policy for further guidance and information in the event of reporting a vulnerability. 

If you wish to make a disclosure or report to us of a potential vulnerability, please email to This email address is being protected from spambots. You need JavaScript enabled to view it. stating that you have a potential vulnerability or security issue to report. You can also send us a secure email (encrypted between you and our server) using this page (use This email address is being protected from spambots. You need JavaScript enabled to view it. as the recipient). Please do not provide specific details in your initial email/contact - you will be provided with a dedicated contact person to whom you can then send the details. Alternatively you can use the link on the Vulnerability Disclosure Policy above.

This disclosure method applies to security vulnerability reports - issues which may affect the security or performance of network data or connectivity if exploited. Regular bugs which do not affect security should be reported by the normal support channels.

Firmware Updates

New firmware may include new features, improvements to existing features, increased security or fixes for bugs or security vulnerabilities such as the type mentioned in this page. We always recommend upgrading to the latest version of firmware at your earliest opportunity and if new firmware is labelled as 'critical' then it includes important fixes and should be upgraded to immediately across all applicable routers. Fixes, particularly those relating to security may sometimes not be described in detail except where it would be helpful to confirm that a publicly known issue has been addressed.  You can get firmware from the downloads page (UK only - for other areas, check your regional office) and also join the owners' mailing list.


If you wish to email draytek.co.uk addresses securely using PGP, here is our public key:

Version: GnuPG v2


We and, by extension, our greater user community are always grateful for any reports of this nature.

Please note:

  • If you do not receive a reply, please check your spam folders or re-send. We do not ignore reports of this nature.
  • We would normally acknowledge that we have reproduced the issue and that it is being addressed but if we are unable to reproduce it, we may request more information.
  • Once the issue is confirmed, we normally can't provide an immediate time scale for a fix as it will need to be assessed and prioritised by technicians, however we should be able to keep you updated once this is known or give you a work-around in the meantime. Even where a change is relatively simple, any new firmware still have to go through stages of integration, testing and PQA before it can be formally released.
  • In some cases, it may not be possible to explain why something which is perceived as an a bug or vulnerability is actually not. This may be because of other factors which, for security reasons cannot be disclosed. This is not security by obfuscation; we mean a situation where there is another mechanism which prevents the issue from actually being enacted or where other security might be compromised by providing too much detail.
  • Beyond confirming that an improvement/fix is being worked on, or is ready, for security reasons we may not be able to provide details of exactly how that issue has been addressed.
  • We do not support, encourage or permit the reverse-engineering of our products or code.