Secomea is a CISA-authorized CVE Numbering Authority (CNA)
Cybersecurity advisory
At Secomea, we are transparent and keep ourselves accountable for the security of our products and, in turn, your operations. If you have discovered what you suspect could be a security vulnerability in our products or services, please follow the process detailed below to report it.
Cybersecurity Advisory Process
Report
If you have discovered an issue that you believe is a security vulnerability in our products or services, please report it to us via email at vulnerabilityreporting@secomea.com.
Please include the following, as applicable:
- a detailed description of the vulnerability
- a Proof of Concept (POC) or instructions (e.g., screenshots, video, etc.) on how to reproduce the issue or steps taken when the issue occurred
- a risk or exploitability assessment
- instructions on how to reach you with follow-up questions
- information on whether the issue is subject to a Coordinated Vulnerability Disclosure (CVD) deadline.
A CVE assignment and discovery acknowledgment regarding reports on products no longer supported will be decided on a case-by-case basis.
We acknowledge that reporting can contain sensitive information. If so, please indicate in your email that you are sharing sensitive data with us, and we will arrange proper data protection measures. You can submit your report using our PGP Public Key.
Analysis
Once reported, our support team will evaluate the issue to determine whether the report is a valid security vulnerability.
The support team will then contact the reporting entity with our analysis results. We strive to respond to all reports within three working days.
The reporter must respond within 30 days, or the case may be closed.
Partners or other CERTs are informed and involved in the process if necessary.
Handling
If our support team assesses the issue reported as a security vulnerability, our R&D department will address it as product fixes (remediations or mitigations).
Secomea will keep the reporter informed of the status of the reported vulnerability and our approach to addressing it. If appropriate, a preview release can be provided to the reporter in advance for validation.
We strive to fix vulnerabilities with CVSS (CVSS version 3.1) scores above medium within 30 business days. Generally, CVEs with medium/high CVSS scores but with a low risk/impact evaluation may have a longer timeline than CVEs with high risk/impact evaluation.
For vulnerabilities with a CVSS score higher than 7.0, Secomea will review the Threat Model of affected products to ensure the best cybersecurity standards are in place.
Disclosure
Secomea will release product fixes for vulnerabilities as part of standard product releases. Fixes are deployed to Secomea-hosted solutions as they become available. Secomea will disclose security advice as part of the release documentation.
All CVEs with a CVSS score of medium or higher will be published to the CVE list. The disclosure timeline of security advisories will be coordinated with customers, partners, and the reporter.
Our Security Advisory usually contains the following information:
- CVE reference, CVSS score, and description of the vulnerability, including risk/impact evaluation
- Available mitigations and workarounds
- Reference to the reporter (optionally)
Third-party software vulnerabilities
Vulnerabilities in third-party software components used in supported Secomea products are assessed according to their risk and impact in relation to the product’s security context. Secomea may adjust the CVSS score to reflect such an impact.
Potential fixes will be released as part of standard Secomea product releases. Third-party vulnerabilities with assessed CVSS scores above medium will be disclosed in the release documentation.
Cybersecurity advisories
Get in touch
Get a personalized quote
Find out how Secomea’s solutions can fit your budget and maximize your ROI.
Team up with our Success team
Learn more about how we support every step of your journey beyond the initial implementation.