Skip to Content
Go back

Vulnerability Disclosure Policy

General Information

BAS-IP follows industry-leading practices in managing and responding to security vulnerabilities discovered in our products. It is impossible to guarantee that the products and services provided by our company are completely free from vulnerabilities. This is not a unique feature, but rather a common condition for all software and services, but we can guarantee that at all stages of development, we will make efforts to identify and eliminate potential vulnerabilities, thereby reducing the risk associated with deploying BAS-IP products and services in customer environments.

BAS-IP recognizes that some standard network protocols and services may have inherent weaknesses that can be exploited. Although BAS-IP is not responsible for these protocols and services, we provide recommendations for reducing risks associated with BAS-IP products, software, and services in the form of various guides.

What the Policy Covers

The vulnerability management policy described in this document applies to all products, software, and services under the BAS-IP brand.

What the Policy Does Not Cover

Some vulnerabilities are not covered by the BAS-IP vulnerability management policy. Please do not send vulnerability reports that are not covered by the vulnerability management policy to [email protected]:

  • Vulnerabilities requiring high privileges and/or social engineering that are triggered/executed with root/administrator access and/or require complex user interaction
  • Subdomain takeover, for example, gaining control over a node pointing to a currently unused service
  • Incorrect user configurations that can be prevented by following BAS-IP guides
  • Vulnerabilities in content or applications created by third-party users or partners, such as applications that can be downloaded and run on BAS-IP devices
  • Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) vulnerabilities that trick the user into visiting a malicious website or clicking on a disguised link when accessing the BAS-IP devices web interface
  • Third-party open-source vulnerabilities registered with a CVE identifier located in software components or packages used in BAS-IP products, software, or services. Common examples of such software components include the Linux kernel, OpenSSL, AOSP, and others
  • Lack of HTTP(S) security headers, such as X-Frame-Options
  • Vulnerability reports generated by third-party network security scanners
  • Unsupported products/software/services
  • Network Denial of Service (DoS or DDoS) tests or other tests that disrupt access to the system or data or cause damage to them

Obligations

BAS-IP values and encourages the efforts of researchers in identifying and reporting vulnerabilities in BAS-IP products, software, and services. Following the responsible disclosure process, the BAS-IP product security team will, to the best of their ability, respect the interests of researchers through mutual cooperation and transparency throughout the disclosure process.

BAS-IP Company expects that researchers will not disclose vulnerabilities until the expiration of the 90-day period or a mutually agreed date and will conduct vulnerability research within legal boundaries, without causing harm, disclosing confidentiality, or jeopardizing the security of BAS-IP Company, its partners, and customers.

Vulnerability Management

BAS-IP Company assesses vulnerabilities using the well-known CVSS rating system.

Regarding open-source component vulnerabilities, BAS-IP may assess the vulnerability depending on its significance in the context of how BAS-IP recommends implementing its products, software, and services. Security consultations are usually provided only for vulnerabilities specific to BAS-IP.

Priority distribution when a vulnerability has been assessed and is subject to remediation:

  • CVSS 3.1 high/critical (7.0 – 10.0)
    BAS-IP strives to remediate the vulnerability before or within 4 weeks after external disclosure. For open-source components, the timeframe is usually longer, as BAS-IP depends on external parties for information, fixes, and/or verification
  • CVSS 3.1 medium (4.0 – 6.9)
    BAS-IP aims to remediate the vulnerability, typically within 2-3 months
  • CVSS 3.1 low (0.1 – 3.9)
    BAS-IP plans to remediate the vulnerability in the next scheduled release
  • Supported software/services
    The support stage of BAS-IP software/services is determined within the overall software lifecycle process. BAS-IP software/services are usually supported for 1 year after the end-of-life announcement

Reporting a Vulnerability

BAS-IP is constantly working to identify and mitigate risks associated with vulnerabilities in our products. However, if you have discovered a security system vulnerability related to a product, software, or service of BAS-IP, we strongly recommend that you report the issue immediately. Timely reporting of security system vulnerabilities is crucial to reducing the likelihood of their practical use. Security vulnerabilities related to open-source software components should be reported directly to the responsible organization.

End users, partners, suppliers, industry groups, and independent researchers who have discovered a potential vulnerability are encouraged to report their findings to [email protected] or by filling out an anonymous form.

The submitted report should include:

  • Technical information about the potential vulnerability
  • Steps to reproduce
  • Estimated impact and severity in case of exploitation according to CVSS 3.1
  • Researcher’s own vulnerability disclosure policy, if any

You can expect the following from BAS-IP Company:

  • Time to first response within 3 business days after receiving the initial message
  • Processing time (from the moment of receiving the first response) – within 10 business days
  • We will be as transparent as possible about the steps we take in the remediation process, including questions and issues that may delay the solution
  • We will maintain an open dialogue to discuss issues

Vulnerability Disclosure

Once the report of a discovered vulnerability has been examined and confirmed to be genuine, BAS-IP begins the responsible disclosure process. BAS-IP strives to collaborate with the researcher regarding further details, such as CVSS 3.1 assessment, security recommendation content and/or press releases (if applicable), and the date of external disclosure.

After an agreement between BAS-IP Company and the researcher, the vulnerability will be disclosed for external purposes by BAS-IP Company publishing security recommendations and/or a press release.

Document Change History

VersionDateDescription
1.015.02.2024First release