Introduction
Ironman Software strives to help our customers minimize risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance, and mitigation options to address vulnerabilities.How to Report a Security Vulnerability
If you identify a security vulnerability in any Ironman Software product, please report it to us immediately. Timely identification of security vulnerabilities is critical to mitigating potential risks to our customers. When reporting a potential vulnerability, please include as much of the below information as possible to help us better understand the nature and scope of the reported issue:- Product name and version containing the vulnerability
- Environment or system information under which the issue was reproduced (e.g. product model number, OS version, etc.)
- Type and/or class of vulnerability (XSS, buffer overflow, RCE, CWE, etc.)
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code
- Potential impact of the vulnerability
Handling Vulnerability Reports
Ironman Software believes in maintaining a good relationship with security researchers, and with their agreement, may recognize the researcher for finding a valid product vulnerability and privately reporting the issue. In return, we ask that researchers give us an opportunity to remediate the vulnerability before disclosing it publicly. Ironman Software believes that coordinating the public disclosure of a vulnerability is key to protecting our customers. According to this policy, all disclosed information about vulnerabilities is intended to remain between Ironman Software and the reporting party—if the information is not already public knowledge—until a remedy is available and disclosure activities are coordinated.Vulnerability Remediation
After investigating and validating a reported vulnerability, we will attempt to develop and qualify the appropriate remedy for products under active support from Ironman Software. A remedy may take one or more of the following forms:- A new release of the affected product packaged by Ironman Software
- Instructions to download and install an update or patch from a third-party vendor that is required for mitigating the vulnerability
- A corrective procedure or workaround published by Ironman Software that instructs users on adjusting the product configuration to mitigate the vulnerability.
Impact and Severity Ratings
Ironman Software currently uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) open framework for communicating the characteristics and severity of Ironman Software's software vulnerabilities. Many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit, are taken into consideration. The overall impact of a security advisory is a textual representation of the severity (i.e., critical, high, medium, and low) that follows the CVSS Severity Qualitative Severity Rating Scale for the highest CVSS Base Score of all identified vulnerabilities. When and where applicable, Ironman Software will provide an overall impact for the advisory and for each identified vulnerability the CVSS v3.1 Base Score and corresponding CVSS v3.1 Vector. Ironman Software recommends that all customers take into account both the base score and any temporal and/or environmental metrics that may be relevant to their environment to assess their overall risk.Remedy Communication
Usually, we communicate remedies to customers through Ironman Software Security Advisories, where applicable. To protect our customers, Ironman Software strives to release a Security Advisory once we have a remedy in place for any affected product(s). RIronman SoftwareSA may release Security Notices sooner to respond appropriately to public disclosures or widely known vulnerabilities in the components used within our products. Security Advisories are intended to provide enough details to allow customers to assess the impact of vulnerabilities and to remedy potentially vulnerable products. Full details may be limited to reduce the likelihood that malicious users can take advantage of the information and exploit it to the detriment of our customers. Ironman Software Security Advisories will typically include the following information, as applicable:- The overall impact, which is a textual representation of the severity (i.e. critical, high, medium, and low) that follows the CVSS Severity Qualitative Severity Rating Scale for the highest CVSS Base Score of all identified vulnerabilities
- Products and versions affected
- The CVSS Base Score and Vector for all identified vulnerabilities
- Common Vulnerability Enumeration (CVE) identifier for all identified vulnerabilities so that the information for each unique vulnerability can be shared across various vulnerability management capabilities (e.g., tools like vulnerability scanners, repositories, and services)
- Brief description of the vulnerability and the potential impact if exploited
- Remediation details with update/workaround information
- Acknowledgment to the finder for reporting the vulnerability and working with Ironman Software on a coordinated release, as applicable.