Nozomi Networks Product Security Incident Response Team (PSIRT) is responsible for investigating security concerns that potentially affect our products and services. If you find or you are aware of any security issues, please contact us using the GPG keys and the email address provided below. The Team will review your notification within 72 hours.
Nozomi Networks aims to address vulnerabilities found in our products according to the following timeline:
For on-prem products:
- Critical/high vulnerabilities will be remediated within 2 months.
- Medium/low vulnerabilities will be remediated within 6 months or in the next release, whichever comes first.
To ensure our customers have adequate time to upgrade to the recommended versions of our products, we will release advisories 90 days after a version containing the fix is released.
For SaaS products:
- Critical/high vulnerabilities will have a workaround provided within 24 hours.
- Critical/high vulnerabilities will be fixed within 30 calendar days.
- Medium/low vulnerabilities will have a workaround provided within 30 calendar days.
- Medium/low vulnerabilities will be fixed within 6 months.
Certain parts of the Nozomi Networks operating system may include third-party software. Nozomi Networks monitors disclosures regarding security incidents involving third-party software and conducts due diligence to ensure patches are incorporated into the Nozomi Networks operating system within 30-60 days of their release. If a third-party software vulnerability lacks an officially released patch, Nozomi Networks may choose to mitigate the vulnerability if necessary or wait until an official patch is available.
What "Vulnerable" Means to Us
All reported issues are evaluated using a risk-based assessment process. Nozomi Networks considers factors such as the potential impact on confidentiality, integrity, and availability of systems or data; the level of access required to exploit the issue; the likelihood of exploitation; the exposure of the affected component; and whether the issue can be reliably reproduced.
Issues determined to pose a material security risk will be prioritized for remediation in accordance with Nozomi Networks’ vulnerability management process.
Not all vulnerable code exposes an exploitable or attackable vulnerability. Our system image ships with already hardened configurations because we do our best to protect our customers. Moreover, our QA system regularly scans our code base, and we conduct an internal vulnerability assessment on every nightly build.
Usually, vulnerabilities must load and execute some code on the local system. Our system image design disallows the addition of system users to the console. This means that in order to execute local code inside our system image, an attacker must already have complete access to the system.
How to Get in Touch
To get in touch with our PSIRT please send an encrypted email to prodsec@nozominetworks.com. Make sure to encrypt your message using this GPG key.
Upon receiving the report, we will log the issue in our support system, assign a tracking number, and begin investigating the potential vulnerability. Please be sure to include all the information we may need, including a valid and working exploit example.
Code of Conduct and Rules of Engagement
We kindly request that you adopt the principles of responsible disclosure and notify us of any security issues affecting our products before disclosing them publicly, so that we can promptly resolve any vulnerabilities.
While we do not currently operate a bug bounty program, we appreciate responsible disclosure and may acknowledge researchers in our advisories. Please note that we do not consider findings originating from SSL/TLS scanners or port scanners, low-level configuration issues such as cookie flags or security headers, or potential vulnerabilities with no actual impact to be vulnerable. Please refer to the sections What "Vulnerable" Means to Us and Out-of-Scope Vulnerabilities for further details.
Furthermore, we kindly request that you do not perform DoS/DDoS attempts on production systems or engage in unauthorized social engineering attacks. In the event that you are able to access PII or other sensitive data through a vulnerability, please stop immediately, and report it to us without extracting any further data.
If you conduct security research in good faith and in accordance with this policy, Nozomi Networks considers such activity to be authorized and subject to safe harbor. Nozomi Networks will not pursue legal action or refer the matter to law enforcement for accidental or good-faith violations of this policy, provided that you avoid privacy violations, service disruption, or data destruction, access only the minimum information necessary to demonstrate a vulnerability, and promptly report the issue through the designated reporting channels.
Security Advisories
The Nozomi Networks security portal is the platform where Nozomi Networks releases its security advisories. These advisories contain information on vulnerabilities, CVSS scores, and risk levels for our customers, as well as instructions for implementing workarounds or fixes.
In addition, as a CNA, Nozomi Networks has the authority to assign unique CVE identifiers to track vulnerabilities specific to our products.
Reference
CVE Risk Level mapping
| CVE Level | CVSS v4.0 |
|---|---|
| Critical | 9.0–10.0 |
| High | 7.0–8.9 |
| Medium | 4.0–6.9 |
| Low | 0.0-3.9 |
Impact Reference
DoS, Code Execution, Overflow, Memory Corruption, SQL Injection, XSS, Directory Traversal, HTTP, Response Splitting, Bypass something, Gain Information, Gain Privileges, CSRF, File Inclusion
CSAF
Wherever applicable, advisories will also be provided in CSAF format.
A CSAF trusted provider metadata file is also available.
Out-of-scope vulnerabilities
At its sole discretion, Nozomi Networks may deprioritize findings that do not pose a demonstrable security impact.
The following is a list of out-of-scope vulnerabilities that will not be considered for remediation. These vulnerabilities do not pose a significant risk to the application's security and are considered low-impact or not relevant to the scope of the project.
- Anything reported by automated web vulnerability scanners, SSL/TLS scanners, or port scanners.
- Any credentials or personal information that are automatically saved or filled in by the user's browser or client-side application.
- Low-impact disclosures, and banner-grabbing issues.
- Issues related to password and credential strength, such as insufficient length, lack of lockouts, or inadequate brute-force/rate-limiting protections.
- Errors in user interface and user experience, such as spelling mistakes.
- Missing cookie flags, unless they directly lead to a security vulnerability.
- Cross-site Request Forgery (CSRF) vulnerabilities with a low-security impact, such as logout CSRF.
- Self-XSS and clickjacking.
- Missing X-Frame-Options header (Clickjacking/UI Redressing).
- Security vulnerabilities that only affect older user agents or application versions.
- SSL/TLS mixed content issues unless they result in the leakage of sensitive information such as cookies and credentials.
- Lack of SSL/TLS or SSL/TLS best practices that do not contain a fully functional proof of concept.
- Host header open redirects.
- Minor issues regarding session management, such as concurrent sessions, session expiration, and session refresh upon password reset/change or log out.
- HSTS or CSP headers
- Path, information or version disclosure
- Bad behaviours of administrators