At Secomea, we are dedicated to ensuring our customers have the information they need to keep their systems up to date and protected against cybersecurity threats.
Secomea is authorized by CISA (Cybersecurity & Infrastructure Security Agency) as a CVE Numbering Authority (CNA), which is the de-facto international standard for identifying and naming cybersecurity vulnerabilities. Our support team ensures that discovered vulnerabilities are disclosed timely and in accordance with the CVE Program Standards.
Find information about:
If you have discovered an issue that you believe is a security vulnerability in our products or services, please email VulnerabilityReporting@secomea.com. Please include the following, as applicable:
We strive to respond to all reports within three working days.
We acknowledge that reporting can contain sensitive information, and if so, please indicate in the email that you have sensitive data to exchange with us, and we will arrange proper exchange measures. You can submit using our PGP Public Key.
Once reported, our support team will perform an evaluation of the issue to determine the affected products and whether the report is a valid security vulnerability. The support team will then contact the reporting entity with our analysis results. The reporter must respond within 30 days or the case may be closed. If necessary, partners or other CERTs are informed and involved in the process.
Vulnerabilities will be addressed by R&D as product fixes (remediations or mitigations). Secomea will keep the reporter informed of the status of the reported vulnerability and our approach to addressing the issue. If appropriate, a preview-release can be provided to the reporter in advance for validation.
We strive to provide fixes to vulnerabilities with CVSS (CVSS version 3.1) scores above medium within 30 business days. Generally, CVEs with medium/high CVSS scores but with a low risk/impact evaluation may have a longer timeline than CVEs with high risk/impact evaluation.
Secomea will release product fixes for vulnerabilities as part of normal product releases. Fixes are deployed to Secomea hosted solutions as they become available. Secomea will disclose security advice as part of the release documentation. All CVEs with a CVSS score of medium or higher will be published to the CVE list.
Disclosure timeline of security advisories will be coordinated with customers, partners and the reporter.
Our Security Advisory usually contains the following information:
5. Third-Party software vulnerabilities
Vulnerabilities in third-party party software components used in supported Secomea products are assessed according to the risk/impact in relation to the product’s security context. Secomea may adjust the CVSS score to reflect such impact. As for Secomea developed software, a fix is released as part of the normal product releases. Third-Party vulnerabilities with assessed CVSS score above medium will be disclosed as part of release documentation.
* Impact of FragAttacks on the Secomea SiteManager
Several SiteManager hardware models are affected by the FragAttacks CVEs. All the important CVEs are addressed in the latest SiteManager firmware release as listed in the table below.
Two CVEs (CVE-2020-26147, CVE-2020-26146) regarding packet reassembly vulnerabilities (for encrypted packets) currently have no fix. They are both evaluated to medium severity and not considered a real threat for correctly configured WiFi setups when combined with the latest firmware release. Until a fix is available from the WiFi chip supplier (NXP Semiconductor) the most secure mitigation is not to use the WiFi functionality at all and instead rely on cabled connections and 3/4G modem uplinks.