Vulnerability / Exploit Reporting for DrayTek Products

Reporting Suspected Security Vulnerabilities in DrayTek Products

DrayTek, like all other vendors, could potentially have issues or vulnerabilities within their products which may affect security or performance. In the worst case, this could provide a hacker the ability to attack or disrupt your network, connectivity or compromise your LAN.

DrayTek has a continuous programme of product improvment covering features, performance and security. We always recommend that you use the latest formal release of firmware for your product which will include new features and security improvements. Always obtain firmware directly from the DrayTek web site.

You may discover a potential issue on one of our products either by accident or because you are testing your own system security (pen testing). You should also be sure to always operate your product securely. Our guide here can help with that.

Real or Theoretical vulnerabilities

A vulnerability may be theoretical, benign in its effect or unlikely to actually occur or be used in the real world or it may be more serious and present
a real-world opportunity for an exploit to be used. In either case, we are committed to investigating any reports and addressing them appropriately.

Vulnerable or Obsolete Protocols & Libraries

Sometimes, a vulnerability may be within an industry standard protocol (e.g. TLS/Poodle) or commonly used library (e.g. Shellshock) and affects all vendors supporting that protocol or using that code. Obsolete protocols may also be 'vulnerable' to hacking due to evolving technology; the solution there is to use the latest protocol (e.g. Use TLS1.2 instead of SSL3 or WPA2 instead of WEP). We provide a reference to some previous common vulnerabilities here.

How to make a report

If you wish to make a disclosure or report to us of a potential vulnerability, please email to This email address is being protected from spambots. You need JavaScript enabled to view it. stating that you have a potential vulnerability or security issue to report. You can also send us a secure email (encrypted between you and our server) using this page (use This email address is being protected from spambots. You need JavaScript enabled to view it. as the recipient). Please do not provide specific details in your initial email/contact - you will be provided with a dedicated contact person to whom you can then send the details.

This disclosure method applies to security vulnerability reports - issues which may affect the security or performance of network data or connectivity if exploited. Regular bugs which do not affect security should be reported by the normal support channels.

Firmware Updates

New firmware may include new features, improvements to existing features, increased security or fixes for bugs or security vulnerabilities such as the type mentioned in this page. We always recommend upgrading to the latest version of firmware at your earliest opportunity and if new firmware is labelled as 'critical' then it includes important fixes and should be upgraded to immediately across all applicable routers. Fixes, particularly those relating to security may sometimes not be described in detail except where it would be helpful to confirm that a publicly known issue has been addressed.  You can get firmware from the downloads page (UK only - for other areas, check your regional office) and also join the owners' mailing list.

PGP Key

If you wish to email draytek.co.uk addresses securely using PGP, here is our public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBF4Yiv4BCACf2GVt4IPglgAErgVn8u9VJJxoo4NDPb8RumbCtmMx2uRYQkE6
/qZiAm/QlhiE4eDn9wsIeK1+lBiCK9s2df2Z+yMGvVLp/KfJBPd743MQvQhr7WLe
aOJPY/NSKz04PMTRmRb3xg+Kt95KA3T6ZSE28EcLvoDXUAEJrQPqmF/pFAs2E7Qi
scQjpLZzwT7BXu0MgDdGYLb7sFIVi6lx3zvSISoKhYknUmxmKKAjXA2BZ+wEcYwL
6o0rA+zdrteWu1uJJ6oDAlDJ1CPCWY7Q2FV+a35txvMaBCQtYn8AGbcJfhIB25/F
8goBwXirMFowK2/FN6+KvzGJ8LO32bgKx1B/ABEBAAG0H0RyYXlUZWsgVUsgPGlu
Zm9AZHJheXRlay5jby51az6JAT8EEwEIACkCGwMHCwkIBwMCAQYVCAIJCgsEFgID
AQIeAQIXgAUCXhiL3QUJBR+SsgAKCRBcUlxQTYSmgGupB/0UMlQEvbw4dEJnm4PQ
XufuKvn7Y6XcFhyo8AO2CpA2QwNfmYzvx2UKZNuJXO/Fubkuny3vLIzcfowKO4wA
zRRpA6Ucd5K/67Igu8fugDIR5xGk9b7IY7xKDjrQDQSkO33wlHNR4SKvja/3/N9H
VhLISiNdTbJLhfxsLBuJezOdREDoPa+UezTWd3k51m7PnsGU4YYGh6lQDfYChhzM
WHFj00y/0ZnUWbaL1Qdj0n4M9ZKCQWe0HQ07UNCXF9BSbjqtJqGJU/l9JMyz7ukp
+hi+CYksmBng50gki6XXiZTOd5f/6V13We+aAs3Wx/n5oV3u1183SdrQ1VigEoNg
mbVNuQENBF4Yiv4BCAC9F6L6YWUip5JkUPBYZbsgG7VJ7O13G1Y1h02mCxB1sjuH
O0k4beOmr6QJh5Vf5acaF+hzXKp9o7Plh83crQJbiMaxQsJXGH2orHt1TyDT9QB2
INBU+pVwGyPTSl5d2/ARDUh9v5zyS4LZD2HUMLQkUecEDq8/aybQJ7Xqcyu1xn0n
y6lnPiuVu+CYZqAHmSKD/lYZWjE4k8P+dBm90XKbUmUVXcinakI5cPwZhiNoro9O
DpucbRppBMv9HSxCprpCafvxOQGZJ0nnLwKZRm4XmqU0YDZduPC8K40m7Qivag3p
fbMP5Ff6pCkc2KCbhrRg7h9+I/Znmnb+nAufGuWDABEBAAGJAR8EGAEIAAkFAl4Y
iv4CGwwACgkQXFJcUE2EpoD+Ogf9EN2GdwQnHW8Ngiqk85WGfJe+voDIQ7AY77yZ
tJ3p+Q0tgUmq/MRx0mNhtxbTpH51dk/CzxvqYaKmWum260Lj2vgG9C+ED/HmmWRB
GJ5XQjzq9NdvwHLlmolHxFUUCye/PCw3sxO2BxFsyEfFVJciEELJLuBO3ETSLoAu
k9fhJH6381K+egWzXKCe1LXTWCtV87wOQjCZVrFOOtBgt+w4DQmAnChOFm6RtJI7
1Co8n8Hu302xr3+yz6d0BBe5IrdRGSQCbGYx5GgGd9KGmkMQLyNtIRdIVe7r4cyY
wHVyJcRMCybxx4X8e6IGoU/Ca1T9pfUnjn/45A/dr+SKGtb4Ng==
=hTg0
-----END PGP PUBLIC KEY BLOCK-----

We and, by extension, our greater user community are always grateful for any reports of this nature.

Please note:

• If you do not receive a reply, please check your spam folders or re-send. We do not ignore reports of this nature.
• We would normally acknowledge that we have reproduced the issue and that it is being addressed but if we are unable to reproduce it, we may request more information.
• Once the issue is confirmed, we normally can't provide an immediate time scale for a fix as it will need to be assessed and prioritised by technicians, however we should be able to keep you updated once this is known or give you a work-around in the meantime. Even where a change is relatively simple, any new firmware still have to go through stages of integration, testing and PQA before it can be formally released.
• In some cases, it may not be possible to explain why something which is perceived as an a bug or vulnerability is actually not. This may be because of other factors which, for security reasons cannot be disclosed. This is not security by obfuscation; we mean a situation where there is another mechanism which prevents the issue from actually being enacted or where other security might be compromised by providing too much detail.
• Beyond confirming that an improvement/fix is being worked on, or is ready, for security reasons we may not be able to provide details of exactly how that issue has been addressed.
• We do not support, encourage or permit the reverse-engineering of our products or code.