Pexip Vulnerability Disclosure Handling Policy
Pexip Security Incident Response Team
Pexip has a number of software engineers tasked with responding to security issues in Pexip’s products. They can be contacted by sending an email to securityreports@pexip.com. A GPG public key is available to enable encryption of reports sent to the team.
The team works closely with Pexip R&D and with the Pexip support organisation to manage the response to security reports.
CVE Tracking
Pexip’s R&D teams are responsible for tracking new CVE announcements and acting on those which affect Pexip’s products.
Security Incident Response Process
-
Pexip is made aware of a relevant security issue, either from internal research, external reports or CVE monitoring.
-
Prioritize and assign resources according to issue severity.
-
Develop fix or workaround. Assess impact of solution.
-
Produce communication plan, where applicable.
-
Notify customers, where applicable.
Severity scoring and disclosure methods
Pexip uses the Common Vulnerability Scoring System version 3.1 (CVSS3.1) to score vulnerabilities. This allows us to communicate the characteristics and impacts of any security vulnerabilities discovered in our products.
A severity label for a vulnerability is computed from the CVSS Base Score according to the following scale:
Base Score | Severity |
0.0 | None |
0.1-3.9 | Low |
4.0-6.9 | Medium |
7.0-8.9 | High |
9.0-10.0 | Critical |
Pexip assesses the risk of each vulnerability in the context of its product environment to obtain a risk-assessed score. A risk label for a vulnerability is computed from the risk-assessed score according to the following scale:
Risk Score | Risk Label |
0.0 | None |
0.1-3.9 | Low |
4.0-6.9 | Medium |
7.0-8.9 | High |
9.0-10.0 | Critical |
Depending on the assessed risk of the issue and the product or service in question, different communication methods will be used:
- Infinity and Connect applications
- Security Advisory Bulletin — Risk Score of 7.0 – 10.0
- Product Release Note Entry — Risk Score of 0.1 – 6.9
- Cloud Service
- Impacts to service availability will be reported on the service status page
- Details of vulnerabilities are not published
Coordinated vulnerability disclosure
Pexip subscribes to the philosophy of Coordinated Vulnerability Disclosure (CVD). Should we discover vulnerability in another vendor’s product we would disclose that to the vendor directly, or to a national CERT-CC or other coordinator who would privately report the issue to the vendor.
This approach allows the vendor the opportunity to diagnose the issue, develop a tested resolution and arrange for the resolution to be distributed before the issue is made public.
Disclosure schedule
Pexip does not follow a fixed disclosure schedule. Security Advisories are published alongside the product release in which a vulnerability is resolved.