Nozomi Networks Incident Response Policy

Nozomi Networks Product Security Incident Response Team (PSIRT) is responsible for investigating security concerns that potentially affect our products and services. If you find or you are aware of any security issues, please contact us using the GPG keys and the email address provided below.

Nozomi Networks strives to remediate vulnerabilities found in our products within 30-60 days. Specific components of the Nozomi Networks operating system may comprise third-party software. Nozomi Networks monitors disclosures for security incidents of third-party software and will perform due diligence to ensure patches are included in the Nozomi Networks operating system within 30-60 days of their release. If a third-party software vulnerability does not have an officially released patch, Nozomi Networks may chose to mitigate the vulnerability, if deemed necessary, or wait for an official patch to be released.

What “Vulnerable” Means to Us

Not all vulnerable code exposes an exploitable or attack-able vulnerability. Our system image ships with already hardened configurations because we do our best to protect our customers. Moreover, our QA system scans our code base regularly and we conduct an internal vulnerability assessment on every nightly build. Usually vulnerabilities must load and execute some code on the local system. Our system image design disallows the addition of system users to the console. This means that in order to execute local code inside our system image, an attacker must already have complete access to the system.

How to Get in Touch

To get in touch with our PSIRT please send an encrypted email to prodsec@nozominetworks.com. Make sure to encrypt your message using this GPG key.

Upon receiving the report, we will log the issue in our support system, including a tracking number, and we will begin to investigate the potential vulnerability. Please be sure to include all the information we may need, including a valid and working exploit example.

Security Advisories

Nozomi Networks publishes its security advisories on the Nozomi Networks security portal site. These SA report provides details on vulnerabilities, CVSS scores, effective risk level for our customers and workaround or fix details.

Reference

CVE Risk Level mapping

CVE Level CVSS
Critical 9.0–10.0
High 7.0–8.9
Medium 4.0–6.9
Informational 0.0-3.9

Impact Reference

DoS, Code Execution, Overflow, Memory Corruption, SQL Injection, XSS, Directory Traversal, HTTP, Response Splitting, Bypass something, Gain Information, Gain Privileges, CSRF, File Inclusion

Last update: 2020-07-01