As a provider of security software, services, and research, we take security issues very seriously and recognize the importance of privacy, security, and community outreach. As such, we are committed to addressing and reporting security issues through a coordinated and constructive approach designed to drive the greatest protection for technology users. Whether you’re a user of SimplyCubed solutions, a software developer, or simply a security enthusiast, you’re an important part of this process.
Reporting security issues
If you believe you have discovered a vulnerability in a SimplyCubed product or have a security incident to report, please email firstname.lastname@example.org. If you feel the need, please use our PGP public key - KeyID: 15D532FB14AC6543 - to encrypt your communications with us.
Once we have received a vulnerability report, SimplyCubed takes a series of steps to address the issue:
- SimplyCubed requests the reporter keep any communication regarding the vulnerability confidential.
- SimplyCubed investigates and verifies the vulnerability.
- SimplyCubed addresses the vulnerability and releases an update or patch to the software. If for some reason this cannot be done quickly or at all, SimplyCubed will provide information on recommended mitigations.
- SimplyCubed publicly announces the vulnerability in the release notes of the update. SimplyCubed may also issue additional public announcements, for example via social media, our blog, and media.
- Release notes (and blog posts when issued) include a reference to the person/people who reported the vulnerability, unless the reporter(s) would prefer to stay anonymous.
SimplyCubed will endeavor to keep the reporter apprised of every step in this process as it occurs.
We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services, and better protect our customers. Thank you for working with us through the above process.
Coordination is key
When properly notified of legitimate issues, we’ll do our best to acknowledge your emailed report, assign resources to investigate the issue, and fix potential problems as quickly as possible. When we discover vulnerabilities through our own research, we will do our best to coordinate efforts with the vendor’s security teams and CERT/CC.
Security issues found by SimplyCubed research
Once we have found a vulnerability in another vendor’s products, SimplyCubed takes a series of steps to address the issue:
- SimplyCubed will keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
- SimplyCubed will attempt to contact the appropriate product vendor by email and telephone.
- SimplyCubed will provide the vulnerability details to the vendor.
- SimplyCubed will send a notification to CERT/CC 15 days after the first attempt at contacting the vendor.
- In keeping with CERT/CC’s 45-day disclosure policy, SimplyCubed and CERT/CC will prepare and publish an advisory detailing the vulnerability at least 60 days after initial attempts at disclosure at stage #2 above, barring extenuating circumstances. This advisory will be made available to the general public via SimplyCubed’s blog and social media. It is likely there may also be some media interest, depending on the details of the findings.
For the latest news, research, and developments from SimplyCubed on security, research, and projects visit our blog.