Product security disclosure
ARCON, a provider of software security solutions, places a paramount emphasis on securing its products and effectively managing vulnerabilities within them. We adopt a proactive approach to continually diminish vulnerabilities and associated risks. This involves robust engineering processes to prevent vulnerabilities, a combination of manual and automated methods for early detection, and swift responses upon discovery.
This policy delineates ARCON’s strategy for managing vulnerabilities in its products, encompassing third- party components integrated within them. It excludes platforms, operating systems, and hosting arrangements not included in ARCON’s offerings.
While we endeavor to ensure the safety of our systems for our customers, in the event that a security researcher or member of the public identifies a vulnerability and responsibly reports it to us, we deeply value their contribution. We collaborate closely with them to promptly address the reported issue. Additionally, we are pleased to acknowledge their contributions publicly, adhering to the stipulations outlined here.
Procedure for Reporting Issues:
If you possess information regarding a security issue or vulnerability in a ARCON suite of products, kindly forward it via email to firstname.lastname@example.org – Please include the following details:
- Affected products and versions
- Elaborate description of the vulnerability
- Any known exploits
The Product Security team may contact the reporter for additional information necessary to replicate the issue. Upon confirmation of a vulnerability, this policy will be implemented immediately.
To prevent legal repercussions, refrain from disclosing any found vulnerabilities on public platforms or sharing your findings with third parties without written approval from ARCON. Also, avoid employing physical security attacks, social engineering, distributed denial of service, spam, etc.
Each vulnerability, whether discovered by ARCON or disclosed by a third party, undergoes evaluation to determine severity, vulnerable paths, impact, root cause, exploitability, and affected products and versions. If an identified issue aligns with the definition of a security gap rather than a vulnerability, it will be managed through the product’s proactive security backlog and prioritized accordingly.
Remedies for vulnerabilities may be provided through various means, including an applicative fix via an updated version or patch, a configuration alteration (either manual or scripted), or any other suitable approach. Temporary mitigations may also be implemented if available, offering an immediate workaround until the final remedy is applied.
ARCON reserves the right to update this policy at its sole discretion, without prior notice.