PSIRT Review ProcessTo ensure that our products maintain the highest security standards and integrity, we have a formal process of investigation that is handled by the Product Security Investigation Team. The following figure illustrates the VASCO PSIRT process at a high level.
As a first step, the VASCO PSIRT becomes aware of a suspected vulnerability in one or more VASCO products. This may happen in several ways:
- A third party (customer, partner, researcher, etc.) reports a suspected vulnerability directly to VASCO.
- VASCO becomes aware of a public posting (on Bugtraq, VulnDev, etc.) about a suspected vulnerability.
- VASCO itself department discovers a vulnerability in a VASCO product.
Subsequently the VASCO PSIRT logs the suspected vulnerability with supporting details, and informs the reporter that it is investigating the case.
If the suspected vulnerability is privately reported by a third party, the VASCO PSIRT requests the reporter to maintain strict confidentiality until complete resolutions are available and have been published by the VASCO PSIRT, in line with responsible disclosure practices. The VASCO PSIRT will keep the reporter informed about all steps throughout the process.
PSIRT reports the suspected vulnerability to the relevant product teams for verification. The product team attempts to reproduce the issue to verify whether it is effectively a vulnerability.
Throughout the analysis, the VASCO PSIRT strives to work collaboratively with the reporter to confirm the nature of the vulnerability, gather required technical information, and ensure appropriate remedial action.
The VASCO PSIRT manages all sensitive information on a highly confidential basis. Distribution within VASCO is limited to those individuals who have a need to know and can assist in the resolution.
If the suspected vulnerability is confirmed, then the VASCO PSIRT and the product team work together to define the severity level of the vulnerability using the Common Vulnerability Scoring System (CVSS), version 2.0.
The product team determines for which product versions a fix should be developed and provides an estimate for the release date of the fixes. The product team also develops the fixes.
PSIRT determines whether a security publication will be issued, and if so, the type of security publication that will be used to disclose the vulnerability.
PSIRT drafts a security publication, in cooperation with the product team. With the agreement of the reporter, the VASCO PSIRT may acknowledge the reporter’s contribution during the public disclosure of the vulnerability. If necessary, the VASCO PSIRT works with MITRE Corporation to generate CVE identifiers for the vulnerability.
The VASCO PSIRT publishes the security publication via different channels:
- On the PSIRT website
- Via Security Advisories & Response RSS Feed
The VASCO PSIRT may also release the security publication on security forums, vulnerability databases or email lists. However only the official VASCO PSIRT website is kept up-to-date.
Finally VASCO also informs customers using an impacted product via e-mail.