Security at OneSpan
To uphold the highest standards of product security and integrity, OneSpan follows a structured and collaborative process for disclosure of security findings. This process ensures timely investigation, resolution, and communication of security vulnerabilities.
1. Discovery
The disclosure process begins when a suspected vulnerability is identified in a OneSpan product. This can occur through:
- Direct reports from third parties via email (from customers and partners) and via OneSpan’s bug bounty program (from security researchers).
- Public disclosures on security forums (e.g., Bugtraq, VulnDev)
- Internal discovery by OneSpan teams
Bug Bounty Program:
OneSpan encourages responsible disclosure through its Intigriti Bug Bounty Program.
The program is available to all registered Intigriti researchers.
The program covers OneSpan Sign, Intelligent Adaptive Authentication (IAA) and OneSpan Cloud Authentication (OCA). Refer to the program scope and guidelines on Intigriti platform for more details.
Email ID for responsible disclosure:
For disclosures not covered under our Bug Bounty program, please send an email to [email protected].
OneSpan encourages the encryption and digital signing of sensitive information that is sent to OneSpan. The OneSpan supports encryption of files using Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG). The OneSpan PGP public key has following properties:
- PGP Key: Download Link
- Key ID: 0x2EB08598
- Fingerprint (hexadecimal): A793 C580 E3B0 9BDD 1D29 913B 5172 2DF0 2EB0 8598
- Fingerprint (biometric): repay molasses solo intention tissue phonetic puppy tambourine Belfast certify pheasant councilman drunken holiness button upcoming buzzard phonetic music narrative
Upon receiving a report, the associated security team logs the vulnerability with supporting details and acknowledges receipt to the reporter. If the report is private, the associated security team requests confidentiality until a resolution is published, maintaining responsible disclosure practices.
2. Internal Analysis
Security team collaborates with relevant product teams to:
- Reproduce and verify the reported issue
- Confirm whether it constitutes a security vulnerability
Throughout this phase, security team maintains close communication with the reporter to:
- Validate the issue
- Gather technical details
- Ensure appropriate remediation steps
Sensitive information is handled confidentially and shared only with individuals directly involved in resolution. Confirmed vulnerabilities are assessed using the CVSS rating system, version 3.0.
3. Mitigation
Once verified, the product team:
- Determines affected product versions
- Develops and tests fixes
- Estimates release timelines for patches
4. Notification
The security team evaluates the need for public disclosure and determines the appropriate format for the security advisory. If disclosure is warranted:
- A security advisory is drafted in collaboration with the product team and is published on the Product Support portal under Knowledge Base. Security Advisories are only accessible to authenticated users. See KB0014814 for information on how to log on or obtain credentials (https://support.onespan.com/csm?id=kb_article&sysparm_article=KB0014814).
- The reporter may be acknowledged (with consent)
- CVE identifiers may be requested from MITRE Corporation
This updated process reflects OneSpan’s commitment to transparency, collaboration, and continuous improvement in product security.