Security at FoxIoT

Vulnerability reporting, coordinated disclosure policy, and mitigation guidance for FoxIoT products.

FoxIoT takes the security of its products seriously. This page provides information about how to report security vulnerabilities and how we handle them.

Report a Vulnerability

If you have discovered a security vulnerability in any FoxIoT product, please report it to:

Email: security@foxiot.eu

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Affected product and version (if known)
  • Potential impact
  • Your contact information (for follow-up)

Coordinated Vulnerability Disclosure Policy

Scope

This policy covers vulnerabilities in:

  • Wolf Gateway hardware
  • FoxIoT bootloader, firmware, and software (Wolf-OS and Wolf-App)
  • FoxIoT web properties (foxiot.eu)

Out of scope:

  • Applications developed by third-party system integrators on the Wolf-OS platform
  • Third-party cloud services or backends
  • Social engineering, phishing, or physical attacks
  • Denial-of-service attacks against production systems

Our Commitments

Commitment Timeline
Acknowledge your report Within 48 hours (business days)
Initial assessment Within 10 business days
Progress updates At least every 30 days until resolved
Credit in advisory Upon fix publication (if you wish)

Disclosure Timeline

FoxIoT targets a 90-day disclosure window from the date of the initial report. For critical severity vulnerabilities, we aim to publish interim mitigation guidance within 24 hours and release a fix within 7 days. Response times refer to business days; during weekends and holidays, response times may be extended.

If we cannot produce a fix within 90 days, we will coordinate with the reporter on an extended timeline or publish mitigation guidance.

We request that reporters do not publicly disclose vulnerability details before a fix is available or the 90-day window has elapsed, whichever comes first.

Safe Harbour

FoxIoT will not take legal action against security researchers who:

  • Act in good faith and in accordance with this policy
  • Avoid privacy violations, data destruction, and disruption of services
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it
  • Report the vulnerability to FoxIoT before public disclosure

Product Security Information

Product Security Information documents are published per the EU Cyber Resilience Act (Regulation 2024/2847) for each affected product family.

Product Document ID
Wolf Gateway (standard firmware) Product Security Information ↓ CRA-UI-001

The EU Declaration of Conformity is published at /compliance/wolf-gateway-declaration-of-conformity.pdf once the conformity assessment is complete. Signed firmware releases for the Wolf Gateway are listed at /firmware/wolf-gateway/.

Security Advisories

Security advisories for FoxIoT products will be published on this page when available.

No advisories published yet.

Security Mitigation Guidance — Wolf-App

If a security vulnerability is announced and a firmware update is not yet available, follow these steps to protect your Wolf Gateway.

Step 1: Back Up Device Configuration

Before making any changes, create a backup of your current configuration.

In the Wolf-App web UI, navigate to System, find the Backup & Restore block, and download the configuration backup to your computer.

Step 2: Set Up WireGuard VPN (if not already done)

Before closing any ports, ensure you have a working WireGuard VPN connection to the device.

  1. Open the Wolf-App web UI (http://<device-ip>:5080)
  2. Navigate to Network > WireGuard
  3. Configure a VPN tunnel and verify you can access the device through it

WARNING: Do not proceed to Step 3 without a working WireGuard or SSH connection. Closing the HTTP port without alternative access will make the device unreachable.

Step 3: Close HTTP Port (5080)

Closing the web UI port prevents access from the local network.

  1. Navigate to Network > Firewall
  2. Add a rule: Port 5080, Action: DROP
  3. Save

After this, the web UI is only accessible via WireGuard VPN.

Step 4: Close SSH Port (22)

If the vulnerability affects SSH, or for maximum protection:

  1. Navigate to Network > Firewall (before closing HTTP)
  2. Add a rule: Port 22, Action: DROP
  3. Save

After this, the device is accessible only via WireGuard VPN.

Step 5: Verify Device Isolation

After closing ports, verify from the local network:

  • Web UI at http://<device-ip>:5080 should be unreachable
  • SSH to the device on port 22 should be refused
  • Device should still respond to ping (ICMP)
  • Device should be fully accessible via WireGuard VPN

Step 6: Check Firmware Version

Via Wolf-App UI: Navigate to System. The firmware version is displayed in the Versions block.

Via SSH: Run cat /VERSION

Step 7: Apply Firmware Update (when available)

  1. Download the firmware file from FoxIoT
  2. Navigate to System, find the Firmware Upload block
  3. Upload the firmware file
  4. Press the Restart Controller button on the same page to apply the update
  5. The device will verify the firmware signature during boot

After updating, you may re-open ports 5080 and 22 if needed via Network > Firewall.

Network Security Best Practices

  • Always use WireGuard VPN for remote access
  • Close ports 22 and 5080 on eth0 after VPN setup
  • Place the device on a separate network segment or VLAN
  • Do not expose the device directly to the internet
  • Keep firmware up to date

LTE/4G Users

If your Wolf Gateway uses the LTE modem for connectivity, the device is already protected against incoming connections. The firewall blocks all incoming traffic on the LTE interface by default. No additional action is needed for the LTE interface.

Default Firewall Configuration

Interface Policy Details
Default DROP All incoming traffic blocked unless explicitly allowed
WireGuard (wg0, wg1) ACCEPT Fully trusted VPN interfaces
Ethernet (eth0) SSH (22) and HTTP (5080) open Only two ports allowed by default
LTE (usb0) DROP All incoming blocked
ICMP ACCEPT Ping allowed
Outgoing ACCEPT All outgoing traffic allowed

Contact

Purpose Address
Security reports security@foxiot.eu
General inquiries info@foxiot.eu
Machine-readable security.txt

This page fulfils the requirements of EU Regulation 2024/2847 (Cyber Resilience Act), Annex I Part II(5), Part II(8), and Annex II points 2 and 8(a).