Product Security

Responsible vulnerability management

We use responsible vulnerability management to help improve the safety and security of our products and connected solutions.

A core tenant of our work at Trane Technologies is, “we do what’s right, always.” This includes how we serve, support and protect our customers.

The Trane Technologies Product Security Incident Response Team provides a disciplined approach to vulnerability disclosure and notification. We seek to validate, analyze and mitigate potential vulnerabilities in a responsible manner to minimize our customers’ risk. We encourage security researchers, industry organizations, third party component suppliers and our customers to contact us with any potential vulnerabilities.

We are prepared to work in good faith with individuals and researchers that report potential vulnerabilities through our Vulnerability Disclosure Process, adhere to applicable laws and avoid harm to others in the testing process. With the reporting party’s consent, we will acknowledge individuals for their vulnerability reporting and collaboration with Trane Technologies.

Trane Technologies uses a coordinated vulnerability disclosure procedure, where a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability. Protecting customers is one of Trane Technologies’ highest priorities. We endeavor to address each vulnerability submission in a timely manner. While we are doing that, we require that vulnerability submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. Trane Technologies will notify you when the potential vulnerability in your submission is addressed.

Trane Technologies reserves the right to modify or amend the disclosure process and our submission terms at any time consistent with the requirements of the relevant principles and applicable law.

ID
Product Name
Brand
CVE
Description
Last Updated
Documentation
CSAF
ID-2023-01
XL824, XL850, XL1050, and Pivot thermostats
Trane
CVE-2023-4212
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
6-Nov-23
N/A
ID-2021-02
Tracer SC, Tracer SC+, Tracer Concierge
Trane
CVE-2021-38450
CWE-94: Improper Control of Generation of Code ('Code Injection')
10-Jul-23
N/A
ID-2021-02
Tracer SC
Trane
CVE-2021-42534
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
27-Oct-21
N/A
ID-2021-01
Symbio 700, Symbio 800
Trane
CVE-2021-38448
CWE-94: Improper Control of Generation of Code ('Code Injection')
10-May-22
N/A
ID-2017-02
Trane Comfort Link II
Trane
CVE-2015-2867
CWE-798: Use of Hard-coded Credentials
10-Jan-17
N/A
ID-2017-01
Trane Comfort Link II
Trane
CVE-2015-2868
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
10-Jan-17
N/A
ID-2016-01
Trane Tracer SC
Trane
CVE-2016-0870
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
28-Nov-16
N/A

Trane Technologies works with customers and researchers to address product cybersecurity vulnerabilities. Help us to continually improve our products by reporting a potential vulnerability within our offer portfolio or digital platform. By providing a vulnerability disclosure submission to Trane Technologies, we ask that you:

  • Refrain from publishing technical details of the vulnerability that you reported to give Trane Technologies an opportunity to fix it. We will work with you to define a disclosure timeline.
  • Understand that you have the option to publicize your role in the vulnerability identification process upon process conclusion if the vulnerability is publicly disclosed.
  • Understand that we are not offering monetary compensation for your submission.

Trane Technologies supports Safe Harbor reporting. Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. To encourage the coordinated disclosure of product security vulnerabilities, we will consider security research tied to vulnerability disclosure activities as authorized conduct under the Computer Fraud and Abuse Act and will not pursue civil or criminal action.

Please provide details on the application or product impacted by the vulnerability and a short generic description of the issue. You will be contacted by our Product Security Incident Response Team to secure additional details about the reported vulnerability.

If further information is required, please use the PGP Public Key and Fingerprint to transmit details.

Download PGP Public Key and Fingerprint: B49A 1C70 5021 2202 B45C B28B 4DA2 200E 4B1E 0CD6

Please acknowledge that you have read and understand the following:
Please validate your reCAPTCHA.