Coordinated vulnerability disclosure
Last updated 23 February 2023
We are committed to ensuring the security of operators and customers who use our products and services. The Coordinated Vulnerability Disclosure process of Genexis enables security researchers and customers to have a primary point of contact with a team of product experts. This team coordinates Genexis’ response to disclosed vulnerabilities.
We encourage vulnerability testing by security researchers and by customers, with responsible reporting to Genexis.
When submitting reports of vulnerability findings, please follow the procedure below.
Reporting procedure
- Fill in the contact form below
- Please provide the following information in your submission:
- Contact information, preferably including organization and contact name, so that we can get in touch with you.
- A detailed technical description of the vulnerability, including full identification of the product, the technical context in which the vulnerability occurred, network configuration details, involved URLs, and any other relevant detail.
- Before sharing proof-of-concept exploit scripts, or if you have identified specific threats related to the vulnerability, please first arrange a secure transfer with us.
- Information about other parties you informed, like vulnerability coordinators such as CERTs, NCSC, or similar.
- Please avoid including privacy-sensitive information in your submission whenever possible.
- To minimize security risks, we request that you coordinate with us on synchronizing the release of information to the public and inform us in advance of your disclosure plans. Please note that depending on the complexity of the reported vulnerability, the full process can take several months.
- We will acknowledge receipt within 7 days, verify the reported vulnerability, and formulate a response, which may include developing a solution that will be announced and released through our existing customer notification processes.
- If the reported vulnerability involves a supplier component part of our software bill-of-materials, we may refer the report to the component supplier. In this case, we will forward your submission, and the supplier may contact you directly.
- We will inform you of the status of your report and, if requested, mention the vulnerability submitter in the patch notes of the security fix, if any.
- By submitting information to us, you agree that this information will be considered non-proprietary and non-confidential and that we are allowed to use this information without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Genexis.