Purpose
To establish a standardized process for communicating to Flexera Software customers regarding serious security issues that affect Flexera Software products or services.
Scope
This document establishes a framework for the notification process between Flexera Software and its customers when Flexera Software learns of a potential security issue. Each product line will establish its own Product Security Disclosure Document to be used in conjunction with this framework. The Product Security Disclosure Document will define what constitutes a serious security issue on a product-by-product basis, while this document sets out the manner and method of communicating to Flexera Software customers about them.
Roles
The Products & Solutions Management team owns the communication and maintenance of these processes. The PSM team will also assist in establishing primary channels that customers and other third parties may use in communicating security issues. From time to time, the PSM team will evaluate the effectiveness of those channels to ensure that they are effective.
Action Cycle
Upon learning of a security issue, a sequenced response cycle will be triggered. The initial notification date will be considered day zero, and will serve as the starting point from which action is linked to. The table below provides a proposed timeline of the events that Flexera Software will seek to manage to as a result of the learning of a security issue.
| Event |
Days since Notification Date |
| Verify |
0-7 |
| Mitigate |
0-7 |
| Notify |
0-14 |
| Plan a response |
5-30 |
| Respond |
30-45 |
| Report Results |
45-60 |
Verification
When Flexera Software learns of a potential security issue, it will promptly take steps to verify the potential exploit. This verification process will be led by the Product Manager and will involve direct communication with Engineering, Quality Assurance and Technical Support, as necessary. During the verification stage, a contact lead will be appointed, and that person will be responsible for collecting information about the potential exploit and for communicating directly with any outside reporting sources. Based on the results of their findings, the following guidelines will apply:
- If the response team determines that the issue is reproducible and originates from a Flexera Software product, it will move to produce a Security Issue Notification Alert. If the response team believes that the issue exists in third party code, they will develop a Customer Security Assessment and communicate the results of their findings to that third party.
- If the response team determines that the reported threat cannot be reproduced, or does not exist, the Product Manager will communicate their findings to the customer and the reporting party.
Mitigation
As part of the verification process, the response team will investigate methods to mitigate the results of the security issue, regardless of whether the issue exists within Flexera Software developed code, or not. This mitigation will be reported on either the Security Issue Notification Alert, or the Customer Security Assessment. These documents may be amended after an initial report if new mitigation strategies are developed.
Threat Scoring
Once a threat is verified and mitigation processes have been identified, the response team will use a standardized scoring method to quantify the threat level. This generalized scoring technique will be derived from threat matrices identified by the National Institute for Standards and Technology (NIST) in their standardized Common Vulnerability Scoring System Calculator. The response team will use an approved scoring calculator to produce two threat scores. The first score will define the overall score of the threat at its widest possible application. The second score will factor the result of all mitigation options identified by the response team. These scores will be integrated into the Security Issue Notification Alert.
Notification
Once the response team has verified the existence of the security issue, they will attempt to notify affected customers. The contact lead will be responsible for the notification, and may employ any of following notification channels:
- Email – This must be to at least two contacts within the affected company’s organization.
- Telephone – A direct phone call to a key customer representative.
- Automated Ticketing System – The Security Issue Notification Alert will be capable of publishing an email notification to customers once the alert has been finalized.
- Direct Contact – The contact lead, or a suitable proxy, may notify the customer through a personal site visit, so long as it occurs within the prescribed time.
Notification Requirements
Each Security Issue Notification Alert or Customer Security Assessment should include at least the following information:
- A tracking number – This number is uniquely generated and can be used to track either a Security Issue Notification Alert or a Customer Security Assessment.
- Notification Date – This is the date that the problem was reported to Flexera Software.
- Issue Description – This is a short description that briefly explains the security issue and its potential impact.
- Full Description – This is a full description of the security issue, including information learned by the response team as part of the verification process.
- Quantification – This section will stratify high value threats from medium and low value threats.
- Steps to reproduce – This section describes the steps taken in an effort to reproduce the security issue. However, at no point during the notification process should Flexera Software share or publish any code that exercises the exploit.
- Mitigation – This section reports any mitigation strategies learned by the response team during the course of verifying the security issue.
- Notification Range – This section will specify the response team’s opinion as to how broadly the notification should be communicated. If notification must be made to the general public, this section must describe a process by which Flexera Software will work with the customer to develop a customer-facing notification.
Respond
Flexera Software will develop a response plan for every Security Issue Notification Alert. This response plan will include at least the following information:
- Expected Response Date
- Response Description
- Distribution Plan
Report
Within 45-60 days after the conclusion of each response, the contact lead will generate a Security Issue Response Report. This report will contain a summary of the threat along with a ‘post mortem’ on how the threat was handled. This report will include feedback on customer satisfaction and can be used to improve the quality of future responses. This document is intended to be for internal use only, and may be used to improve future responses.
