To ensure that our products maintain the highest security standards and integrity, we have a formal process of investigation that is handled by the Product Security Investigation Team.
The following figure illustrates the OneSpan PSIRT process at a high level.
As a first step, the OneSpan PSIRT becomes aware of a suspected vulnerability in one or more OneSpan products. This may happen in several ways:
A third party (customer, partner, researcher, etc.) reports a suspected vulnerability directly to OneSpan.
- OneSpan becomes aware of a public posting (on Bugtraq, VulnDev, etc.) about a suspected vulnerability.
- OneSpan itself discovers a vulnerability in a OneSpan product.
- Subsequently the OneSpan PSIRT logs the suspected vulnerability with supporting details, and informs the reporter that it is investigating the case.
If the suspected vulnerability is privately reported by a third party, the OneSpan PSIRT requests the reporter to maintain strict confidentiality until complete resolutions are available and have been published by the OneSpan PSIRT, in line with responsible disclosure practices. The OneSpan PSIRT will keep the reporter informed about all steps throughout the process.
PSIRT reports the suspected vulnerability to the relevant product teams for verification. The product team attempts to reproduce the issue to verify whether it is effectively a vulnerability.
Throughout the analysis, the OneSpan PSIRT strives to work collaboratively with the reporter to confirm the nature of the vulnerability, gather required technical information, and ensure appropriate remedial action.
The OneSpan PSIRT manages all sensitive information on a highly confidential basis. Distribution within OneSpan is limited to those individuals who have a need to know and can assist in the resolution.
If the suspected vulnerability is confirmed, then the OneSpan PSIRT and the product team work together to define the severity level of the vulnerability using the Common Vulnerability Scoring System (CVSS), version 2.0.
The product team determines for which product versions a fix should be developed and provides an estimate for the release date of the fixes. The product team also develops the fixes.
PSIRT determines whether a security publication will be issued, and if so, the type of security publication that will be used to disclose the vulnerability.
PSIRT drafts a security publication, in cooperation with the product team. With the agreement of the reporter, the OneSpan PSIRT may acknowledge the reporter’s contribution during the public disclosure of the vulnerability. If necessary, the OneSpan PSIRT works with MITRE Corporation to generate CVE identifiers for the vulnerability.
The OneSpan PSIRT publishes the security publication via different channels:
- On the PSIRT website
- Via Security Advisories & Response RSS Feed
The OneSpan PSIRT may also release the security publication on security forums, vulnerability databases or email lists. However only the official OneSpan PSIRT website is kept up-to-date.
Finally OneSpan also informs customers using an impacted product via e-mail.