Security Center

Charter

Ezurio is committed to providing our customers minimized risk when it comes to security vulnerabilities associated with our products. Our goal is to provide a timely and consistent response, containing product and vulnerability information, guidance and mitigation options. The Ezurio Product Security Incident Response Team (PSIRT) is tasked with and is responsible for the coordination of response and communication of status for all product vulnerabilities reported to Ezurio.

Reporting a Security Vulnerability

If you identify or have questions about a given vulnerability or other product security issue, related to any Ezurio product, please contact us immediately. It is important we are aware of issues as soon as possible. Timely notification of potential vulnerabilities is critical in minimizing their impact.

Securing the Communication

When reporting a security issue, please refrain from including any detailed information about the issue in your initial message. Upon receiving the initial inquiry, the PSIRT will contact you via email and establish a secure communication channel if necessary to safely share sensitive information and files.

Information to Provide

After establishing a secure communication channel, it is crucial to provide comprehensive information. This will enhance our understanding of the reported issue's nature and scope. We may reach out to you for further clarification. When reporting a vulnerability please provide as much of the following information as possible:

• Ezurio product name and version containing the vulnerability (Please include both hardware and software products being used)
• Environment or platform information under which the vulnerability was reproduced (e.g. product model number, OS version, etc.)
• Type and/or class of vulnerability (XSS, buffer overflow, RCE, CWE, etc.)
• Step-by-step instructions to reproduce the vulnerability.
• Proof-of-concept or exploit code used to identify the vulnerability.
• Potential impact of the vulnerability (Security threat)
• Scope of vulnerability (Your products impacted)
• List of organizations informed about the vulnerability.
• Known CVE’s associated with the issue.

Report a Vulnerability

Vulnerability Confidentiality

Due to the potential for significant privacy and product impact, Ezurio takes the reporting of a potential vulnerability extremely seriously and treats them with the highest level of confidentiality. We ask that any vulnerability reporting be limited to you, the customer, and Ezurio until threat analysis is complete, remediation action has been identified and disclosure activities coordinated. This is in-line with industry standard practices and is designed to protect all parties from unnecessary risk.

Vulnerability Mitigation

Providing mitigation guidance on reported vulnerabilities is the responsibility of the PSIRT. This will be provided after the vulnerability has been investigated and a technical solution has been identified. Mitigation may take one or more of the following forms:

• An updated release of the affected product hardware and/or software.
• A software patch that can be installed on top of the affected product.
• A corrective procedure or workaround provided by Ezurio that instructs users on adjusting the product configuration to mitigate the vulnerability. 
• Recommendations on configuration, integration or usage of the product which removes exposure of the vulnerability.
• Advisory that there is no mitigation.

Ezurio will endeavor to provide mitigation for all identified vulnerabilities. Ability to respond quickly depends on many factors, such as the severity, impact, ability to replicate, the remediation complexity, the affected component (e.g., some updates require longer validation cycles or can only be updated in a major release), the stage of the product within its lifecycle, and status of business operations, among others.

In some cases, it is not possible to provide a mitigation that resolves an identified vulnerability. When this occurs, Ezurio will clearly identify products impacted and will work with the customer to identify the best path forward.

Remedy Communication

Communication around a reported vulnerability will vary based upon the status of the issue. Where a private report has been made, communication will be directly between Ezurio and the reporting entity. Moving a private report to public disclosure will require the completion of technical analysis, mitigation development and confirmation of issue resolution.

When a vulnerability has been publicly disclosed, communication identified as necessary by the PSIRT will adhere to the following guidelines:

• Acknowledgement of Vulnerability: Ezurio will publish notice that it has made initial review of the published vulnerability and acknowledges the potential for impact on Ezurio products and our customers.
• Confirmation of Impact: Once analysis has been completed to confirm the vulnerabilities impact on Ezurio products. Ezurio will publicly confirm those products impacted and provide a preliminary schedule for remediation.
• Delivery of Remediation: Ezurio will provide confirmation of the availability of remediation for given vulnerabilities. This will also include guidance on how the remediation will be provided.

When possible, Ezurio will utilize an industry identifier to provide reference for public vulnerabilities, the most popular is the use of CVE numbers.

Timetable

Ezurio will do everything we can to correspond in a timely manner and remedy vulnerabilities as soon as possible.

We try to provide acknowledgement of receipt of any reported vulnerability within 72 hours. Weekends and holidays may impact this, but we strive to beat this and provide a prompt acknowledgement to start the reporting process.

We also target 90 days to provide a mitigation for the vulnerability. Again, this is not always possible and can be outside of our control, however, we will do our best to provide timely communications and resolutions.

Additional Disclosure Information

Ezurio does not supply specific information about vulnerabilities beyond that provided in the Security Advisory and related documentation, such as release notes, knowledgebase articles, FAQs, etc.

Ezurio does not distribute exploit or proof of concept code for identified vulnerabilities.

In accordance with industry practices, Ezurio does not share the findings from its internal security testing or other types of security activities with external entities.

Disclaimer

Ezurio’s Vulnerability Response Policy is subject to change without notice. A response is not guaranteed for any specific vulnerability. Your use of the information contained in this document or materials linked herein is at your own risk.