vulnerability Disclosure Policy

Ascertia recommends reading this disclosure policy fully before you report any vulnerabilities. This helps ensure that you understand the policy, and act in compliance with it.

Here at Ascertia we support and actively endorse working with the research and security community to improve security of our products and services.

We are committed to resolving vulnerabilities found in our products in a careful and timely manner. We endeavour to take appropriate and necessary steps to minimize any risk to our customers and partners and aim to provide information and solutions to address security threats within our products.

We follow responsible disclosure guidelines to ensure customers and partners can address potential vulnerabilities as quickly as possible to mitigate associated risks.
We are committed to:

investigating and resolving security issues in our products and services thoroughly
working in collaboration with the security community
responding promptly and actively

Scope

The Ascertia disclosure policy applies only to vulnerabilities in our products and services under the following conditions:

‘In scope’ vulnerabilities must be previously unreported, and not already discovered by internal procedures.
Volumetric vulnerabilities are not in scope – meaning that simply overwhelming a service with a high volume of requests is not in scope.
Reports indicating that our products and services do not fully align with “best practice”, for example missing security headers, are not in scope.
TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support, are not in scope.
Clickjacking and issues only exploitable through clickjacking, are not in scope.
The policy applies to everyone, including Ascertia staff, third party suppliers, customers and partners.

Report a Vulnerability

We recommend that security researchers contact the Ascertia Security Team by sending an email to team.security@ascertia.com.

Encrypt your report using the Ascertia Security Team PGP Key, to prevent critical information from being accidentally disclosed.

PGP key Fingerprint: 9685 1467 43CD 5200 35FA B034 49E5 1CC3 7CB3 81F3
Download

When submitting information about a suspected vulnerability, please provide as much of the following information as possible:

Product\Service Name, version, and operating environment.
Type and impact of the issue.
A compressed archive file containing proof of concept code, scripts, or other data which facilitates the reproduction of the issue.
Name and additional contact details (optional).

Any report should provide a safe, non-destructive, proof of exploitation wherever possible. This helps us to ensure that the report can be reviewed quickly. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities.

In order to protect our existing customers, partners and yourself we strongly recommend that you:

Do not take advantage of the vulnerability or item that you have discovered. For example: by deleting/modifying system data.
Do not reveal the item to others.

We will handle all reports with strict confidentiality and will not disclose your personal information to third parties without your permission.

Vulnerability Handling Process

Security vulnerabilities in Ascertia products are actively managed through our vulnerability management process and covers four stages:

  1. Reporting:The process begins when the Ascertia Product Security Team is made aware of a potential security vulnerability in an existing product. The reporter receives an acknowledgment and will be updated throughout the process.
  2. Use the Product strictly in accordance with Clause Use of the Product of this License.
  3. Triage:The Ascertia Product Security Team investigates the issue and confirms the potential vulnerability, assesses any risk, and determines the impact and assigns a processing priority. The outcome is communicated to the Reporter.
  4. Resolution: The Ascertia product development team works with the Product Security Team to develop a resolution that mitigates the reported vulnerability.
  5. Disclosure: If the vulnerability is deemed to be of sufficient severity, a product security bulletin is created to provide all affected customers with information to accurately assess their risk, and inform of possible remediation and workaround advice as well as availability of any patches. Following disclosure, customer questions are handled by the Ascertia Support Team.

The Ascertia disclosure policy ensures all customers receive the same information at the same time to avoid introducing further risk.

Ascertia has a direct relationship with all customers and partners, Ascertia will communicate any item with all affected customers as soon as any risk is discovered, as a result, Ascertia has no need to publish public CVE’s and does not authorise any 3rd party to publicise issues discovered with Ascertia products or services.

Ascertia also provide software\service updates as part of the Support Services offered during the Support Period of the product. Specifically:

Ascertia will provide, during the Support Period, the following support to customers:

  1. Use commercially reasonable efforts to investigate and find a resolution to items reported by customers and partners, and if confirmed by Ascertia, in accordance with the priority level assigned to the item by Ascertia in its reasonable discretion.
  2. Updating of the documentation as and when necessary.
  3. The provision of generally available maintenance software and software release notes.
Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.
Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.