Pexip Vulnerability Disclosure Handling Policy

Guidance on reporting security incidents to Pexip's security team.

(i) Pexip Security Incident Response Team:

Pexip has a number of software engineers tasked with responding to security vulnerabilities in Pexip's products. They can be contacted by sending an email to

The team works closely with Pexip R&D and also with the Pexip support organization to manage the response to security incidents.

The team is also the first point of contact for third parties wishing to report security issues in Pexip products.


(ii) CVE Tracking:

In addition to being the first point of contact for customer discovered vulnerabilities, the team is responsible for tracking new CVE announcements and acting on those which affect Pexip's products.



(iii) Security Incident Response Process:

→ Pexip is made aware of a relevant security incident, either from
internal research, external reports or CVE monitoring.

→ Prioritize and assign resources according to incident severity.

→ Develop fix or workaround. Assess impact of solution.

→ Produce communication plan

→ Notify customers


(iv) Severity scoring and disclosure methods:

Pexip uses the Common Vulnerability Scoring System version 3 (CVSS3) to score vulnerabilities. This allows us to communicate the characteristics and impacts of any security vulnerabilities discovered in our products.

Depending on the severity of the vulnerability, different communication methods will be used:


→ Pexip Security Advisory Bulletin — CVSS Base Score of 7.0 – 10.0
→ Pexip Product Release Note Entry — CVSS Base Score of 0.1 – 6.9

(v) Coordinated vulnerability disclosure:

Pexip subscribes to the philosophy of Co-ordinated Vulnerability Disclosure (CVD).

Should we discover a vulnerability in another vendor's product we would disclose that to the vendor directly, or to a national CERT-CC or other coordinator who would privately report the issue to the vendor.

This approach allows the vendor the opportunity to diagnose the issue, develop a tested resolution and arrange for the resolution to be distributed before the issue is made public.


(vi) Disclosure schedule:

Pexip does not follow a fixed disclosure schedule.

Security Advisories are published alongside the product release in which a vulnerability is resolved.