Pexip Vulnerability Disclosure Handling Policy
Guidance on reporting security incidents to Pexip's security team.
(i) Pexip Security Incident Response Team
Pexip has a number of software engineers tasked with responding to security vulnerabilities in Pexip's products. They can be contacted by sending an email to firstname.lastname@example.org.
The team works closely with Pexip R&D and also with the Pexip support organization to manage the response to security incidents.
The team is also the first point of contact for third parties wishing to report security issues in Pexip products.
(ii) CVE Tracking
In addition to being the first point of contact for customer discovered vulnerabilities, the team is responsible for tracking new CVE announcements and acting on those which affect Pexip's products.
(iii) Security Incident Response Process
- Pexip is made aware of a relevant security incident, either from internal research, external reports or CVE monitoring.
- Prioritize and assign resources according to incident severity.
- Develop fix or workaround. Assess impact of solution.
- Produce communication plan
- Notify customers
(iv) Severity scoring and disclosure methods
Pexip uses the Common Vulnerability Scoring System version 3.1 (CVSS3.1) to score vulnerabilities. This allows us to communicate the characteristics and impacts of any security vulnerabilities discovered in our products.
A severity label for a vulnerability is computed from the CVSS Base Score according to the following scale:
Pexip assesses the risk of each vulnerability in the context of its product environment to obtain a risk-assessed score. A risk label for a vulnerability is computed from the risk-assessed score according to the following scale:
|Risk Score||Risk Label|
Depending on the assessed risk of the vulnerability, different communication methods will be used:
- Pexip Security Advisory Bulletin — Risk Score of 7.0 – 10.0
- Pexip Product Release Note Entry — Risk Score of 0.1 – 6.9
(v) Coordinated vulnerability disclosure
Pexip subscribes to the philosophy of Co-ordinated Vulnerability Disclosure (CVD).
Should we discover a vulnerability in another vendor's product we would disclose that to the vendor directly, or to a national CERT-CC or other coordinator who would privately report the issue to the vendor.
This approach allows the vendor the opportunity to diagnose the issue, develop a tested resolution and arrange for the resolution to be distributed before the issue is made public.
(vi) Disclosure schedule
Pexip does not follow a fixed disclosure schedule.
Security Advisories are published alongside the product release in which a vulnerability is resolved.