Product Security

A core tenant of our work at Trane Technologies is, “we do what’s right, always.” This includes how we serve, support and protect our customers.

The Trane Technologies Product Security Incident Response Team provides a disciplined approach to vulnerability disclosure and notification. We seek to validate, analyze and mitigate potential vulnerabilities in a responsible manner to minimize our customers’ risk. We encourage security researchers, industry organizations, third party component suppliers and our customers to contact us with any potential vulnerabilities.

We are prepared to work in good faith with individuals and researchers that report potential vulnerabilities through our Vulnerability Disclosure Process, adhere to applicable laws and avoid harm to others in the testing process. With the reporting party’s consent, we will acknowledge individuals for their vulnerability reporting and collaboration with Trane Technologies.

Trane Technologies uses a coordinated vulnerability disclosure procedure, where a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability. Protecting customers is one of Trane Technologies’ highest priorities. We endeavor to address each vulnerability submission in a timely manner. While we are doing that, we require that vulnerability submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. Trane Technologies will notify you when the potential vulnerability in your submission is addressed.

Trane Technologies reserves the right to modify or amend the disclosure process and our submission terms at any time consistent with the requirements of the relevant principles and applicable law.

Trane Technologies works with customers and researchers to address product cybersecurity vulnerabilities. Help us to continually improve our products by reporting a potential vulnerability within our offer portfolio or digital platform. By providing a vulnerability disclosure submission to Trane Technologies, we ask that you:

• Refrain from publishing technical details of the vulnerability that you reported to give Trane Technologies an opportunity to fix it. We will work with you to define a disclosure timeline.
• Understand that you have the option to publicize your role in the vulnerability identification process upon process conclusion if the vulnerability is publicly disclosed.
• Understand that we are not offering monetary compensation for your submission.

Trane Technologies supports Safe Harbor reporting. Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. To encourage the coordinated disclosure of product security vulnerabilities, we will consider security research tied to vulnerability disclosure activities as authorized conduct under the Computer Fraud and Abuse Act and will not pursue civil or criminal action.

Please provide details on the application or product impacted by the vulnerability and a short generic description of the issue. You will be contacted by our Product Security Incident Response Team to secure additional details about the reported vulnerability.