Profisee Logo
search popup

Security Vulnerabilities

Profisee strives to make its software and services as secure as possible, using modern development standards, robust automated and manual testing as well as engaging professional third-party vulnerability testing firms. We catch most bugs and vulnerabilities through these measures, however we are not perfect and occasionally a vulnerability is discovered. Profisee strives to resolves these vulnerabilities as quickly as possible to ensure that our customers are well protected and Profisee is transparent in its communication about the resolution of these findings.

How Profisee processes vulnerability reports

Whenever Profisee becomes aware of a potential security vulnerability, we will quickly move to assess the issue. We first replicate the problem, and then determine whether the issue represents a security risk to our customers or our own systems. If we discover any risk, we immediately start work on a fix for the underlying problem, as well as tactical mitigations to reduce the imminent risk. We also set in motion a process to identify the root cause of how the vulnerability made it into the product in the first place.

Once we identify a risk and have established a mitigation or a fix, we reach out to inform our customers. Customers receive notification through the support portal when they log in (guest users do not receive these notifications), and we inform customers through the email address they provided to Profisee. Users can also specify a separate email address for the notification of security issues by contacting their Profisee Account Manager or the Profisee Customer Service team.

After the issue has been resolved (and fixes have been made available, if necessary) we will post details of the issue on our website, including impacted versions of the software or service and recommended mitigations.

Reporting a vulnerability to Profisee

We can’t fix vulnerabilities unless we know about them. That’s why our vulnerability reporting program doesn’t just cover how we keep our customers informed, but also how we work with customers, partners, and security researchers to receive reports of issues, assess them, and address them with as much transparency as possible while maintaining the security of our systems and data, and those of our customers.

If you think you’ve identified any sort of security vulnerability, please contact us immediately at securityteam@profisee.com.

All reports are carefully reviewed, and we will get back to you as soon as possible. If we need more details to assess the issue, we will let you know. Once we have sufficient details, we begin our vulnerability remediation process, keeping you informed as much as possible along the way. Profisee will work to resolve the issue rapidly, but different vulnerabilities will be resolved within different time frames.

If you report a product issue that might have impact on our customers, we will likely issue a security notice and – if the issue is of non-trivial severity – we may release the details with a CVE number. Before we release details, we always ask if you would like to receive public credit as the discoverer of the issue, or if you prefer to remain anonymous. Please note that we do not offer cash bug bounties for issues that are discovered outside of any formal, by-invitation vulnerability assessment process.

In Scope

Profisee will accept any vulnerability report that is specific to the Profisee application or production deployments of the Profisee Application.

Out of Scope

We are interested in learning about all vulnerabilities, but the following types of vulnerabilities are out of scope for purposes of our security response processes.

  • Vulnerabilities in a supported commercial operating system or other elements of the operating environment.
  • Vulnerabilities in generic implementations of technologies we implement.
  • Vulnerabilities that are only exploitable if someone intentionally misconfigures, insecurely configures, or insecurely deploys our products.
  • Vulnerabilities in network functions on which a fully integrated Profisee solution relies.
  • Denial of Service style attacks that are not specific to the product or originate from Profisee
  • Other non-specific attack patterns.

Reporting a vulnerability in Profisee’s Secure Access products

Contacting Profisee

If you are an existing customer the fastest way to notify Profisee of a potential vulnerability in one of our products is to contact our support team and inform them that you believe there is a vulnerability through a support case.
If you are not an existing customer, you can contact info@profisee.com or securityteam@profisee.com with information on your finding.

Disclosure

Responsible Disclosure

Profisee adheres to the practice of responsible disclosure where the time between reporting a vulnerability and disclosure of that vulnerability in a public forum such as the CVE database allows for the release of a patch, notification of the affected customers, and time for affected customers to deploy the patch.  Profisee is pleased to publicly acknowledge the efforts of security analysts who contact us and follow this policy in our notifications and on our web site.

Severity

Profisee follows the general classifications of vulnerabilities as described in the Common Vulnerability Scoring System (CVSS version 3.1, https://www.first.org/cvss/). CVSS classifies vulnerabilities into severity tiers by score – None (0.0), Low (0.1 – 3.9), Medium (4.0 – 6.9), High (7.0 – 8.9), and Critical (9.0 – 10.0). In general, defects are resolved in the most current version of Profisee products. Our responses to in-scope vulnerabilities follow these general guidelines.

Severity

When / How we fix

Letting Customers Know

Critical and High

Make fix available for customers in the current version of the product ASAP.

Notification to all current and former customers, update posted to security notification page

Medium

Make fix available for customers in the current version of the product as part of the next scheduled maintenance release.

Notification to current customers, update posted to security notification page

Low

Make fix available as soon as is practical. These are typically addressed in scheduled feature releases for current versions of the product.

Updates to the KARI (Known and Resolved Issues) page.

Remediation Process

In general, we strive to disclose vulnerabilities to the CVE database within 90 days of confirming that a vulnerability exists and is in scope (see Scope) for a supported product. If we anticipate the creation, test, release, customer notification and adoption cycles will take more than 90 days, we commit to working with security analysts in good faith to protect our users and ensure that vulnerabilities in Profisee products are disclosed and managed in a fair and open manner.

Legal

All aspects of the Profisee Security Disclosure Process and Policy are subject to change without notice at any time. While we strive to acknowledge all submissions, a response is not guaranteed for any specific issue or class of issues. Your use of the information on the policy or materials linked from the policy is at your own risk.

We encourage security researchers to report their findings to us without fear of legal consequences. Profisee Security does not intend to engage in legal action against any researcher who has 1) performed and reported research according to current best practices for conducting and reporting that research and 2) who is adhering to the precepts of responsible disclosure. Security researchers must make good faith efforts to avoid violating any law and avoid any action that could negatively impact the confidentiality, integrity or availability of information and systems of either Profisee Security or its customers.

Past Vulnerabilities

Past reports of vulnerabilities in Profisee’s products are listed here.

LET'S DO THIS!

Complete the form below to request your spot at Profisee’s happy hour and dinner at Il Mulino in the Swan Hotel on Tuesday, March 21 at 6:30pm.

REGISTER BELOW

MDM vs. MDS graphic