Affected by the BlueJeans news? We're here to help
Products
Platform
Video platform
Products
Room connector Secure meetings Secure collaboration Business continuity Customer engagement Virtual courts
Solutions
By industry
Government Enterprise Financial services Healthcare Defense Judicial Retail
By need
Standardize on Teams Poly by Pexip Meet and collaborate securely Personalize customer engagement Connected worker
Pexip for Poly solutions
A unified experience in a flexible and scalable way while maintaining strict security protocols.
Read about the Poly+Pexip alliance
Developers
Developers
Marketplace Developer portal Forum Training Documentation System status
Downloads
Apps Platform
New version: Pexip Infinity Connect
Download the latest version of the next generation Pexip desktop apps. 
Learn more
Technology alliances
Partners
Microsoft Google Genesys Poly
Resources
Help center Book demo

Pexip Vulnerability Disclosure Handling Policy

Guidance on reporting security incidents to Pexip's security team.

(i) Pexip Security Incident Response Team

 

Pexip has a number of software engineers tasked with responding to security vulnerabilities in Pexip's products. They can be contacted by sending an email to securityreports@pexip.com. 

The team works closely with Pexip R&D and also with the Pexip support organization to manage the response to security incidents.

The team is also the first point of contact for third parties wishing to report security issues in Pexip products.

 

 

(ii) CVE Tracking

 

In addition to being the first point of contact for customer discovered vulnerabilities, the team is responsible for tracking new CVE announcements and acting on those which affect Pexip's products.

 

(iii) Security Incident Response Process

  1. Pexip is made aware of a relevant security incident, either from internal research, external reports or CVE monitoring.
  2. Prioritize and assign resources according to incident severity.
  3. Develop fix or workaround. Assess impact of solution.
  4. Produce communication plan
  5. Notify customers

 

 

(iv) Severity scoring and disclosure methods

 

Pexip uses the Common Vulnerability Scoring System version 3.1 (CVSS3.1) to score vulnerabilities.  This allows us to communicate the characteristics and impacts of any security vulnerabilities discovered in our products.

A severity label for a vulnerability is computed from the CVSS Base Score according to the following scale:

 

Base Score Severity
0.0 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical

 


Pexip assesses the risk of each vulnerability in the context of its product environment to obtain a risk-assessed score. A risk label for a vulnerability is computed from the risk-assessed score according to the following scale:

 

Risk Score Risk Label
0.0 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical


Depending on the assessed risk of the vulnerability, different communication methods will be used:

  • Pexip Security Advisory Bulletin — Risk Score of 7.0 – 10.0
  • Pexip Product Release Note Entry — Risk Score of 0.1 – 6.9


(v) Coordinated vulnerability disclosure

 

Pexip subscribes to the philosophy of Co-ordinated Vulnerability Disclosure (CVD).

Should we discover a vulnerability in another vendor's product we would disclose that to the vendor directly, or to a national CERT-CC or other coordinator who would privately report the issue to the vendor.

This approach allows the vendor the opportunity to diagnose the issue, develop a tested resolution and arrange for the resolution to be distributed before the issue is made public.

 

 

(vi) Disclosure schedule

 

Pexip does not follow a fixed disclosure schedule.


Security Advisories are published alongside the product release in which a vulnerability is resolved.