CVE-2021-32004: Cybersecurity Advisory - Secomea

At Secomea, we are dedicated to ensuring our customers have the information they need to keep their systems up to date and protected against cybersecurity threats.

Secomea is authorized by CISA (Cybersecurity & Infrastructure Security Agency) as a CVE Numbering Authority (CNA), which is the de-facto international standard for identifying and naming cybersecurity vulnerabilities. Our support team ensures that discovered vulnerabilities are disclosed timely and in accordance with the CVE Program Standards.

Find information about:

Advisory Process | Advisories | Subscribe for Notifications

SECOMEA CYBERSECURITY ADVISORY PROCESS

1. Report

If you have discovered an issue that you believe is a security vulnerability in our products or services, please email [email protected]. Please include the following, as applicable:

• A detailed description of the vulnerability
• A Proof of Concept (POC) or instructions (e.g. screenshots, video, etc.) on how to reproduce the vulnerability or steps taken
• Risk or exploitability assessment
• Instructions on how to reach you with follow up questions
• Whether the issue is subject to a Coordinated Vulnerability Disclosure (CVD) deadline CVE assignment and discovery acknowledgment regarding reports on products no longer supported will be decided on a case-by-case basis.

We strive to respond to all reports within three working days.

We acknowledge that reporting can contain sensitive information, and if so, please indicate in the email that you have sensitive data to exchange with us, and we will arrange proper exchange measures. You can submit using our PGP Public Key.

Click to show more Click to hide

2. Analysis

Once reported, our support team will perform an evaluation of the issue to determine the affected products and whether the report is a valid security vulnerability. The support team will then contact the reporting entity with our analysis results. The reporter must respond within 30 days or the case may be closed. If necessary, partners or other CERTs are informed and involved in the process.

Click to show more Click to hide

3. Handling

Vulnerabilities will be addressed by R&D as product fixes (remediations or mitigations). Secomea will keep the reporter informed of the status of the reported vulnerability and our approach to addressing the issue. If appropriate, a preview-release can be provided to the reporter in advance for validation.

We strive to provide fixes to vulnerabilities with CVSS (CVSS version 3.1) scores above medium within 30 business days. Generally, CVEs with medium/high CVSS scores but with a low risk/impact evaluation may have a longer timeline than CVEs with high risk/impact evaluation.

Click to show more Click to hide

4. Disclosure

Secomea will release product fixes for vulnerabilities as part of normal product releases. Fixes are deployed to Secomea hosted solutions as they become available. Secomea will disclose security advice as part of the release documentation. All CVEs with a CVSS score of medium or higher will be published to the CVE list.
Disclosure timeline of security advisories will be coordinated with customers, partners and the reporter.

Our Security Advisory usually contains the following information:

• CVE reference, CVSS score and description of the vulnerability including risk/impact evaluation
• Available mitigations and workarounds
• Reporter credit optionally

Click to show more Click to hide

5. Third-Party software vulnerabilities

Vulnerabilities in third-party party software components used in supported Secomea products are assessed according to the risk/impact in relation to the product’s security context. Secomea may adjust the CVSS score to reflect such impact. As for Secomea developed software, a fix is released as part of the normal product releases. Third-Party vulnerabilities with assessed CVSS score above medium will be disclosed as part of release documentation.

Click to show more Click to hide

SECOMEA SECURITY ADVISORIES

SIGN UP FOR VULNERABILITY NOTIFICATIONS****Sign up to receive timely notifications about security issues, vulnerabilities, and exploits directly in your mailbox.