If you believe that you've discovered a security or privacy vulnerability that affects Lightwave devices, software, or services, please report it directly to us on the web using the following form - Vulnerability Reporting Form.

Reports should include specific product and software version(s) that you believe are affected; a technical description of the behaviour that you observed and the behaviour that you expected; the steps required to reproduce the issue; and a proof of concept.

After you submit your findings on the web, you can track the progress of your report as it's being reviewed. 

For the protection of our customers, we don’t disclose or discuss security issues until our investigation is complete and any necessary updates are generally available.

Lightwave uses its normal channels to publish information about security fixes in our products and to publicly credit people or organisations that have reported security issues to us. We also credit researchers who have reported security issues with our web servers.

Alternatively, you can send your findings to us via email at security@lightwaverf.com. Please make sure that you include the information covered above. If your report doesn't include enough information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it and if you submit your report via email, you will not be able to track progress online. Please use Lightwave security pgp key to encrypt any sensitive information that you send via email, and contact lightwave if you need to send a large file.

We will respond to your report within five (5) working days and aim to triage your report within ten (10) working days. We will also aim to keep you informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every fourteen (14) days. This allows our teams to focus on the remediation.

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We would like to unify guidance to affected users, so please do continue to coordinate public release with us.