Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

Last updated 23 February 2023

Genexis is committed to ensuring the security of operators and customers who use our products and services. The Coordinated Vulnerability Disclosure process of Genexis enables security researchers and customers to have a primary point of contact with a team of product experts. This team coordinates the response of Genexis to disclosed vulnerabilities.

Genexis encourages vulnerability testing by security researchers and by customers, with responsible reporting to Genexis.

When submitting reports of vulnerability findings, please follow the procedure below.

Reporting Procedure

  1. Fill in the contact form below
  2. Please provide the following information in your submission:
    1. Contact information, preferably including organization and contact name, so that we can get in touch with you.
    2. A detailed technical description of the vulnerability, including full identification of the product, technical context in which the vulnerability occurred, network configuration details, involved URLs, and any other relevant detail.
    3. Before sharing proof-of-concept exploit scripts, or if you have identified specific threats related to the vulnerability, please first arrange secure transfer with us.
    4. Information about other party that you informed, like vulnerability coordinators such as CERTs, NCSC or similar
  3. Please avoid including privacy-sensitive information in your submission whenever possible.
  4. To minimize security risks, we request that you coordinate with Genexis on synchronizing the release of information to the public, and that you inform Genexis in advance of your disclosure plans. Please note that depending on the complexity of the reported vulnerability, the full process can take several months.
  5. Genexis will acknowledge receipt within 7 days, verify the reported vulnerability, and formulate a response which may include developing a solution that will be announced and released through our existing customer notification processes.
  6. If the reported vulnerability involves a supplier component which is part of our software bill-of-materials, we may refer the report to the component supplier. In this case, we will forward your submission, and you may be contacted by the supplier directly.
  7. Genexis will inform you of the status of your report, and if requested will mention the vulnerability submitter in the patch notes of the security fix, if any.
  8. By submitting information to Genexis, you agree that this information will be considered as non-proprietary and non-confidential, and that Genexis is allowed to use this information without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Genexis.