Disclosure Policy
Versasec believes that the disclosure of vulnerabilities is essential for improving the quality of its products and services, the safety of the customers that rely on them, and awareness as to their choices relative to preserving their specific interests. Versasec values insight from the security research community and welcomes disclosure and collaboration.
Versasec values the insight and commitment of security researchers and other vulnerability investigators to make the world a safer place by discovering vulnerabilities of security solutions and providing mechanisms to report them with legitimacy and integrity privately.
Responsible disclosure ensures that Versasec’s products are tested and proven reliable. Moreover, the commitment to mitigate vulnerabilities is reassuring for customers and the security industry as a whole.
The following is Versasec’s responsible disclosure policy:
- Versasec will disclose known vulnerabilities and their fixes to its customers in a manner that protects Versasec and the customers. Disclosures made by Versasec will include credit to the person who first identified the vulnerability unless otherwise requested by the one who reported it.
- Versasec is open to communication and working with security researchers who come to Versasec with a shared interest to improve security and coordinate the distribution of information that includes both the vulnerability and the solution to address the same.
- Versasec will publicly acknowledge in a written advisory the work of a security researcher who brings the company valid information about a vulnerability privately and then works with Versasec to coordinate the public announcement after a fix or patch has been developed and fully tested within a reasonable amount of time to be effective and deployed by Versasec and its customers.
- Security researchers are allowed to post a link to the Versasec Group advisory on their own websites as recognition for minimizing risks for the greater good and helping end-users protect themselves.
Versasec asks the security researcher community to work with Versasec to coordinate the public disclosure of a vulnerability. Pre-maturely revealing a vulnerability publicly without first notifying Versasec could hurt organizations, exposing sensitive information and putting people and organizations in danger of malicious attacks.
This is why Versasec strongly advocates a two-step process: first, private disclosure of a potential vulnerability to Versasec. Once the vulnerability is validated, resolved and Versasec and Versasec’s customers provided a reasonable time to deploy updates/patches, Versasec coordinates the public disclosure, which includes the recognition of the security researcher’s discovery, confirming that credit is given to the right person(s). Versasec also asks that researchers recognize Versasec’s action to investigate, validate and remediate reported vulnerabilities varies based on complexity and severity. Versasec will communicate expected timelines, changes and collaborate where possible. In addition, Versasec requests that researchers do not perform Denial-of-Service mechanisms, compromise Versasec user infrastructure or personal information.
Call To Action
If you believe you have discovered a vulnerability, contact Versasec at privacy@versasec.com to start a conversation and to establish a routine for securely sharing your report privately.
Please include, if possible, the information below in your email report:
- Any contact details (i.e., Signal, WhatsApp, or other communicators account)
- Company name
- Preferred email contact
- General description of the vulnerability
- The product containing vulnerability including version number
- Tools, hardware, and other configurations required to trigger the event
- Any security or service pack updates applied
- Document instructions to reproduce the event
- Sample code, proof of concept, or executable used to produce the event
- Definition of how the vulnerability will impact a user, including how the attacker could breach security on-site
- Affected product
- Technical description and steps to reproduce
- PoC (link)
- Other parties and products involved
- Disclosure plans/dates/drivers
- What was the purpose and scope of research being performed when found (context)?
vSEC:CMS
Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.
Free Product Trial
Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.
Job Openings
We are always looking for new exceptional persons to join our team! Find out more about our job openings.
New to credential management?
SCMS = Smart Card Management Systems
CMS = Credential Management System
Have a look at the Wikipedia definition of a ‘Smart Card Management System’.
Versasec Support
Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.
Company Blog
Our blog addresses the latest security trends and stories. The posts discuss how identity and access management are playing a larger role in keeping corporate data safe as well as brand reputations intact.