Vulnerability Disclosure Policy

Introduction

This procedure is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to Iridium.

Vulnerabilities described by this policy may be considered “security vulnerabilities” and are defined as weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source or threat actor.

This document describes what systems and types of research are covered under this policy, how to send Iridium a vulnerability report, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in Iridium systems.

 

Authorization

If you make a good faith effort to comply with this policy during your security research, Iridium will consider your research to be authorized. Iridium will work with you to understand and resolve the issue quickly, and Iridium will not recommend or pursue legal action related to your research as long as you make a good faith effort to comply with this policy. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, Iridium will make this authorization known.

 

Guidelines

Under this policy, “research” for security vulnerabilities means activities in which you:

  • Notify Iridium as soon as possible after you discover a real or potential security issue.
  • Security researchers and reporters must act responsibly and ethically. This includes making every effort to avoid privacy violations, degradation of user experience, disruption to Iridium systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports. For example, low-quality reports are reports where the findings that are uninterpretable, very likely to be in error, or at very high risk of bias.

Once you’ve established that a security vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), in order to be considered as authorized activities under this policy you must stop your test, notify us immediately and not disclose this data to anyone else.

 

Test Methods

Iridium will deal in good faith with security researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with the following guidelines:

  • Testing activities are limited exclusively to:
    • Testing to detect a vulnerability or identify an indicator related to a vulnerability; or,
    • Sharing information with, or receiving information from, Iridium about a vulnerability or an indicator related to a vulnerability;
  • Researchers may not harm any Iridium system or data on an Iridium system or exploit any potential vulnerabilities beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability;
  • Researchers must not establish a command line access and/or persistence; pivot to other systems; escalate privileges; attempt to move laterally within the network; disrupt access to Iridium services; or introduce any malware in the course of testing;
  • Researchers must avoid intentionally accessing the content of any communications, data, or information transiting or stored on any Iridium information system – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists;
  • Researchers must not intentionally exfiltrate or copy Iridium data, or open, take, or delete files;
  • Researchers may not intentionally compromise the privacy or safety of Iridium personnel (e.g., employees, contractors) or any third parties;
  • Researchers may not intentionally compromise the intellectual property of other commercial or financial interests of any Iridium personnel, equipment, entities, or third parties through their research;
  • Researchers may not publicly disclose any details of the vulnerability, indicator of vulnerability, of content of information rendered available by a vulnerability, until that vulnerability is remediated and they receive explicit written authorization from Iridium;
  • Researchers may not conduct denial-of-service (DOS or DDoS) tests or other tests that impair access to or damage a system or data;
  • Researchers may not conduct physical testing (e.g., office access, open doors, tailgating) or social engineering, including spear phishing or vishing, or any other non-technical vulnerability testing of Iridium personnel or contractors;
  • Researchers may not intentionally submit a high volume of low-quality, unsubstantiated, or false-positive reports

 

Scope

This policy applies to all Iridium-managed systems and services that are accessible from the Internet. This includes the registered domain name – Iridium.com.

Any service not expressly listed above, such as any Iridium commercial communication services, are excluded from scope and are not authorized for vulnerability research. Additionally, vulnerabilities found in systems from our third-party vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at disclosure@iridium.com before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active vulnerability research only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits vulnerability research, please contact us to discuss it first. Iridium may increase the scope of this policy over time.

 

Reporting a Vulnerability

Iridium accepts vulnerability reports at disclosure@iridium.com. Reports may be submitted anonymously. If you share contact information, Iridium will acknowledge receipt of your report within three (3) business days.

Iridium will take every disclosure report seriously and, to the extent it deems appropriate, investigate reports to validate the vulnerability, prioritize any identified risk, and ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.

 

What Iridium Would Like to See from You

In order to help Iridium triage and prioritize submissions, it is recommended that your reports:

  • Describe the location the vulnerability was discovered and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
  • Describe the product, version, and configuration of any software or potential hardware potentially impacted.
  • Suggest mitigation or remediation actions, as appropriate.
  • Be in English, if possible.

By submitting a report or communicating with the company, Iridium will presume that the researcher has read, understands, and agrees to the guidelines described in this policy. The researcher also understands that Iridium may, at its discretion, share the vulnerability report with government authorities, such as the United States Cybersecurity and Infrastructure Security Agency or as otherwise permitted or required by law.

 

What You can Expect from Iridium

When you choose to share your contact information with Iridium, we commit to coordinating with you as openly and as quickly as possible.

  • Within 14 business days, Iridium will acknowledge that your report has been received.
  • To the best of our ability, Iridium will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  • Iridium will maintain an open dialogue with researchers to discuss issues.
  • To the best of our ability, Iridium will provide you with regular status updates until the resolution of the reported vulnerability.
  • Iridium will not share your contact information with third parties unless required by law, regulation, or legal process such as a subpoena, warrant, or court order.

 

Conclusion

By establishing a clear and open vulnerability disclosure policy, Iridium is committed to maintaining the security and integrity of our systems, products, and services. We appreciate the assistance of security researchers and the broader community in helping us achieve this goal. Questions regarding this policy may be sent to disclosure@iridium.com

© 2005—2025 Iridium Communications Inc. All rights reserved.

  • 0 View Cart
    • 0