Security and Compliance

Brightspeed is committed to continuously striving to implement world-class security and risk management programs to protect our brand, people, shareholders and data, and to enable solutions by maintaining security processes and industry accepted standards, regulations and certifications that protect our customers, products and data. We are a trusted partner and advisor with a risk-based focus to support business growth while consistently exceeding our customer needs and expectations.


Compliant Products and Services

Brightspeed maintains a suite of the latest industry standards that ensures compliance and security are built into all of the products and services Brightspeed has to offer. Brightspeed trains and provides core security awareness that encourages our employees to act in the best defense of any Brightspeed cybersecurity risks.


Operational Security

By implementing operational best security practices, administrative security, framework, risk management and knowledge management practices, Brightspeed has developed an effective overall cybersecurity program for security, privacy and compliance. Brightspeed focuses on all aspects of security operations automation, vendor risk management, remote workforce risk management and a mature insider threat program. Brightspeed is committed to ensuring business resiliency and survivability during an incident or business disruption. Our Corporate Business Continuity Management program supports an environment of prevention, collaboration, communication, response and recovery, ultimately ensuring our ability to serve customers, shareholders and employees in the face of disruptive events.


Compliance and Audit

Brightspeed knows that maintaining proper security and compliance programs is critical to supporting and protecting our customers’ data and meeting their compliance requirements. We partner with external auditors to perform an assortment of annual assessments that meet industry and regulatory requirements. Brightspeed provides our customers with confidence in our security through attestations and certifications that meet stringent security and regulatory requirements.


Vulnerability Disclosure Program

Brightspeed greatly appreciates you informing us about security issues you discover. We take vulnerability disclosures very seriously and have an official Vulnerability Disclosure Program. We work with security researchers in good faith to secure Brightspeed’s systems. Because Brightspeed is an ISP and cloud provider, it can be difficult to distinguish between Brightspeed owned addresses and our millions of public IP addresses that we have allocated to customers. Though we develop and maintain other internet-accessible systems and services, we ask that active research and testing only be conducted on Brightspeed systems (including those of its affiliate companies such as CenturyLink and Quantum Fiber).


We ask the following of you when conducting vulnerability research and submitting vulnerabilities to Brightspeed:

• Report identified vulnerabilities to us immediately, as timely identification of security vulnerabilities is critical to mitigating potential risks

• Cooperate with us while we review the submission to determine if the finding is valid and has not been previously reported

• Include as much of the below information as possible to help us better understand the nature and scope of the reported issue:

  • Details necessary to identify the impacted system
  • Type and/or class of vulnerability
  • Step-by-step instructions to reproduce the vulnerability
  • Proof-of-concept or exploit code
  • Potential impact of the vulnerability

• Refrain from disclosing the identified vulnerability to anyone else for a reasonable period of time so that we may conduct validation and implement associated remedies for the vulnerability


Do not engage in any of the following activities:

  • Accessing, downloading, or modifying data residing in any system or account that does not belong to you
  • Executing or attempting to execute any “Denial of Service” attack
  • Executing or attempting to execute any social engineering attacks
  • Posting, transmitting, uploading, linking to, sending or storing any malicious software
  • Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes or other forms of unsolicited messages
  • Testing in a manner that would damage or degrade the operation of any Brightspeed systems
  • Testing third-party applications, websites or services that integrate with or link to Brightspeed systems
  • Testing that may violate any applicable law or impact the security or integrity of any personal or confidential information

This Policy and the Vulnerability Disclosure Program administered by Brightspeed is subject to change or cancellation at any time without notice. This Policy is for informational purposes only and it does not create any binding obligation on Brightspeed or any legal relationship between Brightspeed and anyone who submits a vulnerability.