CYBERSECURITY ADVISORY

At Secomea, we are dedicated to ensuring our customers have the information they need to keep their systems up to date and protected against cybersecurity threats.

Secomea is authorized by CISA (Cybersecurity & Infrastructure Security Agency) as a CVE Numbering Authority (CNA), which is the de-facto international standard for identifying and naming cybersecurity vulnerabilities. Our support team ensures that discovered vulnerabilities are disclosed timely and in accordance with the CVE Program Standards.

Find information about:

Advisory Process  |  Advisories  |  Other Security Statements

SECOMEA CYBERSECURITY ADVISORY PROCESS

If you have discovered an issue that you believe is a security vulnerability in our products or services, please email VulnerabilityReporting@secomea.com. Please include the following, as applicable:

  • A detailed description of the vulnerability
  • A Proof of Concept (POC) or instructions (e.g. screenshots, video, etc.) on how to reproduce the vulnerability or steps taken
  • Risk or exploitability assessment
  • Instructions on how to reach you with follow up questions
  • Whether the issue is subject to a Coordinated Vulnerability Disclosure (CVD) deadline CVE assignment and discovery acknowledgment regarding reports on products no longer supported will be decided on a case-by-case basis.

We strive to respond to all reports within three working days.

We acknowledge that reporting can contain sensitive information, and if so, please indicate in the email that you have sensitive data to exchange with us, and we will arrange proper exchange measures. You can submit using our PGP Public Key.

 

Once reported, our support team will perform an evaluation of the issue to determine the affected products and whether the report is a valid security vulnerability. The support team will then contact the reporting entity with our analysis results. The reporter must respond within 30 days or the case may be closed. If necessary, partners or other CERTs are informed and involved in the process.

Vulnerabilities will be addressed by R&D as product fixes (remediations or mitigations). Secomea will keep the reporter informed of the status of the reported vulnerability and our approach to addressing the issue. If appropriate, a preview-release can be provided to the reporter in advance for validation.

We strive to provide fixes to vulnerabilities with CVSS (CVSS version 3.1) scores above medium within 30 business days. Generally, CVEs with medium/high CVSS scores but with a low risk/impact evaluation may have a longer timeline than CVEs with high risk/impact evaluation.

Secomea will release product fixes for vulnerabilities as part of normal product releases. Fixes are deployed to Secomea hosted solutions as they become available. Secomea will disclose security advice as part of the release documentation. All CVEs with a CVSS score of medium or higher will be published to the CVE list.
Disclosure timeline of security advisories will be coordinated with customers, partners and the reporter.

Our Security Advisory usually contains the following information:

  • CVE reference, CVSS score and description of the vulnerability including risk/impact evaluation
  • Available mitigations and workarounds
  • Reporter credit optionally

Vulnerabilities in third-party party software components used in supported Secomea products are assessed according to the risk/impact in relation to the product’s security context. Secomea may adjust the CVSS score to reflect such impact. As for Secomea developed software, a fix is released as part of the normal product releases. Third-Party vulnerabilities with assessed CVSS score above medium will be disclosed as part of release documentation.

SECOMEA SECURITY ADVISORIES

 

OTHER SECURITY STATEMENTS


Published: 13-12-2021 (updated 22-12-2021)

Statement on Log4Shell vulnerability – CVE-2021-44228/CVE-2021-45046  

Secomea has investigated all systems and we can state that Secomea is NOT affected by this exposure

Neither Secomea products nor supporting systems, such as License Portal etc. include any components affected by this vulnerability.

Also, we do not use any of these products: https://github.com/NCSC-NL/log4shell/tree/main/software

 

 

NEWSLETTER SIGN-UP

Get the latest Secomea news sent straight to your inbox.

 
Subscribe

CONTACT

Secomea Headquarters
Copenhagen, Denmark
+45 88 70 86 50
info@secomea.com

Contact Secomea
Contact a distributor

Find addresses here

Privacy & Cookie Policy  © Secomea 2022, All rights reserved