Pexip Government Cloud: Join Teams from any device FedRAMP® and StateRAMP Authorized

Pexip Vulnerability Disclosure Handling Policy

Guidance on reporting security incidents to Pexip's security team.

Pexip Security Incident Response Team 


Pexip has a number of software engineers tasked with responding to security issues in Pexip’s products. They can be contacted by sending an email to A GPG public key is available to enable encryption of reports sent to the team.


The team works closely with Pexip R&D and with the Pexip support organisation to manage the response to security reports.



CVE Tracking


Pexip’s R&D teams are responsible for tracking new CVE announcements and acting on those which affect Pexip’s products.



Security Incident Response Process


  1. Pexip is made aware of a relevant security issue, either from internal research, external reports or CVE monitoring. 

  2. Prioritize and assign resources according to issue severity. 

  3. Develop fix or workaround. Assess impact of solution. 

  4. Produce communication plan, where applicable.

  5. Notify customers, where applicable.



Severity scoring and disclosure methods


Pexip uses the Common Vulnerability Scoring System version 3.1 (CVSS3.1) to score vulnerabilities.  This allows us to communicate the characteristics and impacts of any security vulnerabilities discovered in our products.

A severity label for a vulnerability is computed from the CVSS Base Score according to the following scale:


Base Score Severity
0.0 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical



Pexip assesses the risk of each vulnerability in the context of its product environment to obtain a risk-assessed score. A risk label for a vulnerability is computed from the risk-assessed score according to the following scale:


Risk Score Risk Label
0.0 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical


Depending on the assessed risk of the issue and the product or service in question, different communication methods will be used: 

Coordinated vulnerability disclosure


Pexip subscribes to the philosophy of Coordinated Vulnerability Disclosure (CVD). Should we discover vulnerability in another vendor’s product we would disclose that to the vendor directly, or to a national CERT-CC or other coordinator who would privately report the issue to the vendor. 

This approach allows the vendor the opportunity to diagnose the issue, develop a tested resolution and arrange for the resolution to be distributed before the issue is made public. 



Disclosure schedule


Pexip does not follow a fixed disclosure schedule. Security Advisories are published alongside the product release in which a vulnerability is resolved.