Virsec welcomes independent security researchers, vendors, customers, and other sources to responsibly report security vulnerabilities affecting the Virsec product portfolio.
Virsec prioritizes security concerns and is strongly committed to safeguarding our customers. Our goal is to analyze, validate, and provide corrective actions to address reported issues in a timely manner.
This policy outlines the procedures for reporting vulnerabilities to Virsec, provides guidance to the vulnerability reporters, and explains what you can expect once we receive your report. Virsec reserves the right to deviate from this policy when necessary.
For detailed insights into the vulnerability management process followed by the Virsec Product Security Incident Response Team (PSIRT), please visit the Virsec PSIRT webpage.
If you need to report a potential security vulnerability in any Virsec product, please use one of the following methods:
Vulnerability Disclosure Form or send an email to psirt@virsec.com.
We highly recommend encrypting your email using the Virsec PSIRT PGP public key for additional security. To report any security concerns, all existing customers and suppliers should directly contact their Virsec contacts using the established channels.
Upon successful receipt of the report, our security team will send an acknowledgment to the reporter and begin the process of analyzing, validating, and taking corrective actions to address the vulnerability. All information received in the report is treated with the utmost care and is considered confidential. They are shared only with the relevant stakeholders on a need-to-know basis.
For reporting security concerns in Virsec IT systems, such as Virsec website vulnerabilities or non-product related issues, please use one of the following methods:
Vulnerability Disclosure Form or send an email to psirt@virsec.com
By participating in our vulnerability disclosure program, we expect the following from you:
After validating the vulnerability, we will work to provide a resolution, updates and collaborate with you, as needed, throughout the vulnerability investigation process.
Virsec uses the Common Vulnerability Scoring System (CVSS) as a part of its standard process for determining the severity of reported potential vulnerabilities along with other factors like scope and product impact. The timelines for responding to and addressing vulnerabilities depend on several factors, such as the severity of the vulnerability, the scope and complexity of the issue, and the product life cycle.
If we discover or identify a vulnerability in products or code developed by other vendors, we will communicate the response to the reporter and support to communicate the vulnerability to the relevant vendor to the best of our knowledge.
For publicly known high-severity vulnerabilities that affect multiple products, we might publish a Security Bulletin with an update for one product and then update it as updates and descriptions for other products become available.
Security Bulletins with multiple vulnerable products list all products with the following categories:
We don't usually publish Security Bulletins on Friday afternoons unless it's a crisis scenario.
Our scope includes all vulnerabilities present in the products that Virsec develops and sells as market offerings until they reach the end-of-support milestone. If we make changes in Virsec’s own proprietary code and the solution requires a customer to apply fixes, such as deploying new software, Virsec assigns CVE (Common Vulnerabilities and Exposures) identifiers for qualifying product vulnerabilities reported by an external finder/reporter.
When a reported vulnerability is addressed and a solution is available, we will notify the affected customers using the appropriate communication channels. If Virsec assigns a CVE, we will publish the CVE and security bulletin on the Virsec Security Bulletins page. The security bulletin will briefly describe the vulnerability, Virsec’s severity assessment rating using CVSS, and the CVE identifier. If applicable, details of the affected products and versions and guidance on addressing the issue will be included.
We will offer a formal acknowledgment, provided your research is conducted, as per this policy, and you are the first to report the issue.
If you consent to the acknowledgment, we can mention your name on our Acknowledgements webpage. If a security bulletin is published on our public page, we will credit you for your findings. Please note that we do not currently have a bug bounty program or offer any other rewards.
Contact information
If you have any questions or comments regarding this policy, please contact Virsec PSIRT.
