- Mimosa allows any individual to submit vulnerabilities on our devices. These vulnerabilities are quickly addressed in subsequent firmware releases.
- Mimosa tracks vulnerabilities across all open-source software that it uses. By upgrading these open-source software to latest versions, we plug-in the vulnerabilities.
- Mimosa devices support enabling firewall protection. This configures management access-control lists (ACLs) on the devices, thereby protecting devices from external denial-of-service (DOS) attacks.
- Mimosa devices support configuring management VLANs. Many of our customers use it to isolate management access of these devices from regular data path.
- Mimosa devices support HTTPS access to device web UI, which allows encrypted data between the web browser and device preventing man-in-the-middle attacks.
- Mimosa devices provide only minimal external APIs to reduce attack surface.
- Mimosa devices communicate using proprietary TDMA protocol. Hence, wireless packet sniffing cannot reveal much information.
- Mimosa devices support WPA-2 encryption of data packets forwarded over the wireless interface.
- Mimosa PTMP devices support RADIUS authentication of their clients, thereby blocking rogue clients from associating to the access point.
- Mimosa devices do not support JTAG interface
- Mimosa PTMP devices support DHCP server protection, which ensures that devices do not receive DHCP IP address from rogue DHCP servers.
- Mimosa PTMP devices support DHCP option-82, which allows DHCP server to validate DHCP requests coming from end hosts, connected to PTMP clients.
- Mimosa devices support data VLANs, which can be used to configure networks to isolate traffic better.
Security Vulnerability Reporting Policy
Mimosa values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.
If you are a security researcher and would like to report a security vulnerability, please send an email to: firstname.lastname@example.org
Please provide your name, contact information, and company name (if applicable) with each report.
Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following Responsible Disclosure Guidelines below. We will attempt to respond to your report within 1-2 business days.
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
- Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services.
- Do not modify or access data that does not belong to you.
- Give us a reasonable time to correct the issue before making any information public.