This policy establishes the requirements for SecureAuth Corporation and Core Security SDI Corporation (collectively the Company) for reporting and resolving security vulnerabilities. Company is committed to resolving vulnerabilities to meet the needs of its customers and the broader technology community. This document describes policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.
2. When to contact the security emergency response team
Contact the Company Computer Security Emergency Response Team (CSERT) by submitting a request via our secure support web portal at https://support.secureauth.com
using the “Product Vulnerability Report Form” or the “Service Vulnerability Report Form” in the following situations:
- You have identified a potential security vulnerability with one of our products;
- You have identified a potential security vulnerability with one of our services.
After your report is received, the appropriate personnel will contact you to follow-up.
To ensure confidentiality, we strongly encourage you to use the secure support web portal to exchange any sensitive information updates related to the report.
The “Product Vulnerability Report Form” and “Service Vulnerability Report Form” are intended ONLY for the purposes of reporting product or service security vulnerabilities. They are not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please submit a request using the applicable service ticket type.
Company attempts to acknowledge receipt to all submitted reports within seven days.
3. When to contact the security emergency response team
Technical security information about our products and services is distributed through several channels.
a. Company distributes information to customers about security vulnerabilities via e-mail to registered support contacts as defined in the Company customer relationship management solution. In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability though there can be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.
b. As each security vulnerability case is different, we can take alternative actions in connection with issuing security notices or Advisories. Company can determine to accelerate or delay the release of a notice or not issue a notice at all. Company does not guarantee that security notices will be issued for any or all security issues customers can consider significant or that notices will be issued on any specific timetable.
c. Security-related information can also be distributed by Company to public newsgroups or electronic mailing lists. This is done on an ad hoc basis, depending on how Company perceives the relevance of each notice to each particular forum.
d. Company works with the formal incident response community to distribute information. Many company security notices are distributed by regional CSERT at the same time that they are sent through company information distribution channels.
All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.
[Revised March 2018]