Objective
This policy is intended to describe Opengear’s standards for responding to known potential security vulnerabilities in Opengear products. It defines Opengear’s targets for communicating potential vulnerabilities and delivering resolutions to customers.
Scope
This policy specifically covers security vulnerabilities in released and supported Opengear products. We define a security vulnerability as an unintentional weakness or flaw within hardware, firmware or software that has the potential to be exploited, by a threat agent, in order to compromise a customer’s network. These include, but are not limited to, any methods that unintentionally provide unauthorized access methods, permissions, or information.
This policy does not cover general support and resolution process for non-security related defects. For further information on general support policies, please refer to Support & Helpdesk Ops.
Audience
This policy is for the use of Opengear partners and customers.
Introduction
Opengear products are designed to be secure and reliable elements of our customers' networks. Our products include many security features such as secure boot, firewalls, authentication, authorization, and encryption. Opengear Engineering practices prohibit the introduction of features that bypass these features.
Opengear welcomes the transparent reporting of all vulnerabilities and is committed to resolving them in a timely manner. In addition to reporting by users, Opengear actively searches for vulnerabilities through internal testing, static code analysis, independent penetration testing and assessing new CVEs. These may be introduced through an error in design or development or (more commonly) through a vulnerability being discovered in a third-party library integrated into Opengear firmware or software. The vulnerabilities may be discovered through Opengear testing, reported publicly as a Common Vulnerability and Exposure (CVE), or discovered by an independent security assessment, a customer, or another party.
Opengear’s policy is to quickly assess the impact of any reported vulnerabilities. Once the vulnerability is assessed according to the Common Vulnerability Scoring System (CVSS 3.0), details of the vulnerability, its impacts and timelines for resolution will be made publicly available to customers and partners.
Reporting Potential Vulnerabilities
Customer or partners that are experiencing a security issues with Opengear products are encouraged to report the issue as soon as practicable through the Digi Opengear help desk. When reporting a potential vulnerability, please include as much information as possible (including CVE number if available) about the circumstances and the potential impact.
Assessing Potential Vulnerabilities
Opengear uses the Common Vulnerability Scoring System (CVSS 3.0) in combination with the Security Impact Rating (SIR) to evaluate newly reported potential vulnerabilities. The determined CVSS score reflects the potential security threat of the vulnerability within the context of Opengear product design.
Information and Resolution Timelines
The CVSS 3.0 score is used to prioritize and set targets for communication and resolution as follows:
SIR |
CVSS 3.0 |
Resolution Target |
Fix Information |
Critical |
9.0–10.0 |
Patch release |
Fix information in the Security Advisory and patch release notes. |
High |
7.0–8.9 |
Patch release |
Fix information in the Security Advisory and patch release notes. |
Medium |
4.0–6.9 |
Next major release |
Release notes |
Minor |
N/A |
Future release |
Release notes |
No Vulnerability |
N/A |
N/A |
N/A |
Resolution of Potential Vulnerabilities
Opengear takes security vulnerabilities seriously and endeavors to make resolution available to customers and partners in line with resolution targets for all products currently in support (to verify which products are no longer supported, please visit EoL (End of Life) Announcements for Opengear Products).
For critical vulnerabilities, Opengear enacts a formal Incident Management Process. This process involves dedicating appropriate resources to the resolution until a fix has been released. The process includes internal communication and escalation procedures to ensure the resolution receives the highest possible priority.
All software resolutions will be delivered through the normal patch and release channels here. Software resolutions are made available to all customers regardless of warranty status.
Security vulnerabilities requiring changes to hardware design are extremely rare. For critical issues Opengear will issue a general recall for the effected devices. All other defects will be handled through the normal RMA process.
Receiving Information on Potential Vulnerabilities
Customers and partners can register to receive information on potential vulnerabilities that are in process of being assessed or resolved. To register to receive these notifications you must first register for a helpdesk account here if you have not already done so. You need to follow the desired category, for example Security Notifications or Firmware Update Notifications by clicking on the “Follow” button near the upper right corner. You will see the button change to say “Following” for any category that you are currently registered to receive updates from.
Any parties registered will receive Security Advisories on any Critical and High PIR that will provide detailed information about the vulnerability. They will also receive updates on all issues they have reported regardless of type.
Comments
0 comments
Please sign in to leave a comment.