Launching VASCO’s Product Security Incident Response Process

Frederik Mennes, July 9, 2014

I am happy to announce the launch of VASCO’s product security incident response process. This process stipulates the various steps that VASCO takes from the moment that a third party (typically a customer or researcher) reports a suspected vulnerability in a VASCO product until the moment that the vulnerability is addressed by VASCO, for instance using a product fix.

In this blog post I want to focus on the two principles that underpin our product security incident response process. A full overview of the process is available on VASCO’s website at http://www.vasco.com/psirt.

The first principle is transparency. It means that VASCO strives to be transparent about security vulnerabilities that are discovered in its products towards third parties, especially customers. Transparency allows customers to take the right steps to ensure the security of their IT infrastructure, as it may rely on VASCO technology. Transparency also means that third parties know what to expect when reporting a suspected vulnerability to VASCO. That’s why we have described the product security incident response process in detail on our website. We believe that this transparency will create trust, and ultimately strengthen the relationship between VASCO and its customers.

The second principle is responsible disclosure. This means that VASCO will ensure that parties affected by a confirmed vulnerability will receive a period of time for the vulnerability to be patched before details about the vulnerability are published. In this way we minimize the damage that could arise from the vulnerability, and protect the customers using our products. In order to ensure responsible disclosure we encourage third parties to use the contact details of VASCO’s Product Security Incident Response Team (PSIRT) when reporting suspected vulnerabilities. These contact details are also available at http://www.vasco.com/psirt.

I encourage readers of this blog to read our PSIRT website, and to provide any feedback they might have.

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.