How Edgewatch handles security vulnerabilities

This Vulnerability Disclosure Procedure provides guidelines for the cybersecurity research to improve the security of our products, apps, and cloud services. This Procedure also instructs researchers on how to submit discovered vulnerabilities to our team.

If you are a Edgewatch user and have a security issue to report regarding your account, please visit our support panel. To find out how to stay safe online, take the our Free Edgewatch University courses.

We take security issues extremely seriously and welcome feedback from security researches in order to improve the security of our networked products, apps, and cloud services. We operate a procedure of coordinated disclosure for dealing with reports of security vulnerabilities and issues. Vulnerabilities submitted to us under this procedure will be used for defensive purposes to mitigate or remediate vulnerabilities in our networks and services.

Reporting security issues

If you believe you have discovered a vulnerability in a Edgewatch product or have a security incident to report, please send an email to [email protected] or go to security channel at: support.edgewatch.com to include it in our Vulnerability tracking. Upon receipt of your message we will send an automated reply that includes a tracking identifier.

To receive credit, you must be the first to report vulnerability, and you must notify us in accordance with following;

• You should provide basic details of discovered issue, typically;
• Name/type of affected product/app/service, if applicable; model number, serial number, etc.
• Any Proof of Concept(POC) setup details
• ­Description of the steps to reproduce the issue
• Public references if there is any
• The details of system where the tests were conducted

By following the Vulnerability Disclosure Procedure, we will respond to you within a maximum of 48 business hours upon receiving the initial report. If the reported security issue will be confirmed by looking at the impact, severity, and exploit the complexity of the vulnerability report; we may ask for your further contribution to resolve the potential vulnerability within 90 days.

Although we find every vulnerability that comes from you valuable, we ask you to stay away from any kind of security research that may harm our users, systems and services and has the possibility of data corruption. Also, a researcher determines a vulnerability which includes any sensitive data (including personally identifiable information, financial information, or the proprietary information or trade secrets of any party), they must stop testing, notify relevant e-mail address immediately through our vulnerability submission process, and not disclose this data to anyone else. If a researcher engages in any activities that are inconsistent with this procedure or other applicable law, the researcher may be subject to criminal and/or civil liabilities.

Edgewatch’s vulnerability disclosure policy

Researchers must review and comply with following terms and conditions of this Procedure before conducting any research or testing on our networked products, apps and cloud services.

• If a deadline is due to expire on a weekend or Spanish public holiday, the deadline will be moved to the next normal work day.
• Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
• When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. We believe it’s important that vendors disclose that there is evidence to suggest that the vulnerability is under active exploitation. Edgewatch does this through a product’s security bulletin.

As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Edgewatch expects to be held to the same standard.