Nozomi Networks Incident Response Policy

Nozomi Networks Product Security Incident Response Team (PSIRT) is responsible for investigating security concerns that potentially affect our products and services. If you find or you are aware of any security issues, please contact us using the GPG keys and the email address provided below.

Nozomi Networks aims to address vulnerabilities found in our products according to the following timeline:

  • For on-prem products:
    • Critical/high vulnerabilities will be remediated within 2 months.
    • Medium/low vulnerabilities will be remediated within 6 months or in the next release, whichever comes first.
  • For SaaS products:
    • Critical/high vulnerabilities will have a workaround provided within 24 hours.
    • Critical/high vulnerabilities will be fixed within 30 calendar days.
    • Medium/low vulnerabilities will have a workaround provided within 30 calendar days.
    • Medium/low vulnerabilities will be fixed within 6 months.

Specific components of the Nozomi Networks operating system may comprise third-party software. Nozomi Networks monitors disclosures for security incidents of third-party software and will perform due diligence to ensure patches are included in the Nozomi Networks operating system within 30-60 days of their release. If a third-party software vulnerability does not have an officially released patch, Nozomi Networks may chose to mitigate the vulnerability, if deemed necessary, or wait for an official patch to be released.

To ensure that our customers have adequate time to upgrade to the recommended versions of our products, we will release advisories 90 days after the release of a version containing the fix.

What "Vulnerable" Means to Us

Not all vulnerable code exposes an exploitable or attack-able vulnerability. Our system image ships with already hardened configurations because we do our best to protect our customers. Moreover, our QA system scans our code base regularly and we conduct an internal vulnerability assessment on every nightly build.

Usually vulnerabilities must load and execute some code on the local system. Our system image design disallows the addition of system users to the console. This means that in order to execute local code inside our system image, an attacker must already have complete access to the system.

How to Get in Touch

To get in touch with our PSIRT please send an encrypted email to prodsec@nozominetworks.com. Make sure to encrypt your message using this GPG key.

Upon receiving the report, we will log the issue in our support system, including a tracking number, and we will begin to investigate the potential vulnerability. Please be sure to include all the information we may need, including a valid and working exploit example.

Code of Conduct and Rules of Engagement

We kindly request that you adopt the principles of responsible disclosure and notify us of any security issues affecting our products before disclosing them publicly, so that we can promptly resolve any vulnerabilities.

At present, we do not offer a bug bounty program, and therefore, we ask that you refrain from requesting financial compensation when reporting vulnerabilities. However, if we confirm an actual exploitable vulnerability that you have reported, we may credit you with its discovery in our official advisory, unless you prefer not to be credited.

Please note that we do not consider findings originating from SSL/TLS scanners or port scanners, low-level configuration issues such as cookie flags or security headers, or potential vulnerabilities with no actual impact to be vulnerable. Please refer to the sections What "Vulnerable" Means to Us and Out-of-scope vulnerabilities for further details.

Furthermore, we kindly request that you do not perform DoS/DDoS attempts on production systems or engage in unauthorized social engineering attacks. In the event that you are able to access PII or other sensitive data through a vulnerability, please stop immediately and report it to us without extracting any further data.

Security Advisories

The Nozomi Networks security portal site is the platform on which Nozomi Networks releases its security advisories. These advisories contain information regarding vulnerabilities, CVSS scores, and the risk level for our customers, as well as instructions for implementing workarounds or fixes.

In addition to this, as a CNA, Nozomi Networks has the authority to assign unique CVE identifiers for tracking vulnerabilities that are specific to our products.

Reference

CVE Risk Level mapping

CVE Level CVSS v4.0
Critical 9.0–10.0
High 7.0–8.9
Medium 4.0–6.9
Low 0.0-3.9

Impact Reference

DoS, Code Execution, Overflow, Memory Corruption, SQL Injection, XSS, Directory Traversal, HTTP, Response Splitting, Bypass something, Gain Information, Gain Privileges, CSRF, File Inclusion

CSAF

Wherever applicable, advisories will also be provided in CSAF format.

A CSAF trusted provider metadata file is also available.

Out-of-scope vulnerabilities

The following is a list of out-of-scope vulnerabilities that will not be considered for remediation. These vulnerabilities do not present a significant risk to the security of the application and are considered to be low-impact or are not relevant to the scope of the project.

  • Anything reported by automated web vulnerability scanners, SSL/TLS scanners, or port scanners.
  • Any credentials or personal information that are automatically saved or filled in by the user's browser or client-side application.
  • Low-impact disclosures, and banner-grabbing issues.
  • Issues related to password and credential strength, such as insufficient length, lack of lockouts, or inadequate brute-force/rate-limiting protections.
  • Errors in user interface and user experience, such as spelling mistakes.
  • Missing cookie flags, unless they directly lead to a security vulnerability.
  • Cross-site Request Forgery (CSRF) vulnerabilities with a low-security impact, such as logout CSRF.
  • Self-XSS and clickjacking.
  • Missing X-Frame-Options header (Clickjacking/UI Redressing).
  • Security vulnerabilities that only affect older user agents or application versions.
  • SSL/TLS mixed content issues unless they result in the leakage of sensitive information such as cookies and credentials.
  • Lack of SSL/TLS or SSL/TLS best practices that do not contain a fully functional proof of concept.
  • Host header open redirects.
  • Minor issues regarding session management, such as concurrent sessions, session expiration, and session refresh upon password reset/change or log out.
  • HSTS or CSP headers
  • Path, information or version disclosure
  • Bad behaviours of administrators
Last update: 2023-09-22