Product Security

A core tenant of our work at Trane Technologies is, “we do what’s right, always.” This includes how we serve, support and protect our customers.

The Trane Technologies Product Security Incident Response Team provides a disciplined approach to vulnerability disclosure and notification. We seek to validate, analyze and mitigate potential vulnerabilities in a responsible manner to minimize our customers’ risk. We encourage security researchers, industry organizations, third party component suppliers and our customers to contact us with any potential vulnerabilities.

We are prepared to work in good faith with individuals and researchers that report potential vulnerabilities through our Vulnerability Disclosure Process, adhere to applicable laws and avoid harm to others in the testing process. With the reporting party’s consent, we will acknowledge individuals for their vulnerability reporting and collaboration with Trane Technologies.

Trane Technologies uses a coordinated vulnerability disclosure procedure, where a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability. Protecting customers is one of Trane Technologies’ highest priorities. We endeavor to address each vulnerability submission in a timely manner. While we are doing that, we require that vulnerability submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. Trane Technologies will notify you when the potential vulnerability in your submission is addressed.

Trane Technologies reserves the right to modify or amend the disclosure process and our submission terms at any time consistent with the requirements of the relevant principles and applicable law.

Help us continually improve cybersecurity by reporting a potential vulnerability within our portfolio or digital platform.

Please fill out this form so we can put you in direct contact with the appropriate Trane Technologies incident response team.

The following submission terms govern your submission to Trane Technologies. By providing a vulnerability disclosure submission to Trane Technologies using this form, you:

• agree not to disclose engagement details and information about the potential vulnerability or exploitation before an associated security notification or version release note is released by Trane Technologies;
• grant Trane Technologies a non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your submission: (i) to use, review, assess, test, and otherwise analyze your submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of the submission and all its content, in whole or in part;
• agree to sign any documentation that may be required for us or our designees to confirm the rights you grant above;
• understand and acknowledge that Trane Technologies may have developed or commissioned materials similar or identical to your submission, and you waive any claims you may have resulting from any similarities to your submission;
• understand that we are not offering monetary compensation for your submission, and you are not guaranteed to receive any credit for use of your submission;
• represent and warrant that your submission is your own work, that you haven't used information owned by another person or entity, you haven’t broken any laws or taken any illegal actions related to your submission, and that you have the legal right to provide the submission to Trane Technologies; and
• you understand that you have the option to publicize your role in the vulnerability identification process only after Trane Technologies notifies you that it has made a disclosure concerning the vulnerability.

Note: You will be contacted by our Product Security Incident Response Team so they can secure more details from you about this reported vulnerability.