Product Security Vulnerability Response Policies

Vulnerability Reporting

Vulnerability Response Process

Vulnerability Reporting

A vulnerability is a flaw or weakness in system design, deployment, operation or management. It can be exploited to violate system security policies.

Vulnerability reporters can submit potential vulnerabilities to xFusion PSIRT by email. Vulnerability information is sensitive. To ensure confidentiality, you are advised to encrypt the information sent to PSIRT@xfusion.com using Pretty Good Privacy (PGP). You can click here to obtain xFusion's PGP public key (key ID: 440EE2E2; PGP fingerprint: 3AD5750FEC87593D1FC49F3677A7BC15440EE2E2). To facilitate verification and location of vulnerabilities, include but not limited to the following content in your email:

1. Individual or organization information
2. Affected xFusion products or solutions and their versions
3. Vulnerability description
4. Technical details about the vulnerability, including the system configuration, locating method, the way to exploit the vulnerability, captured samples, Proof of Concept (PoC), and the procedure for reproducing the vulnerability
5. Information about how the vulnerability is publicly exploited
6. Possible vulnerability disclosure plan

xFusion PSIRT will respond to reported vulnerabilities according to the vulnerability response process. For details about xFusion's vulnerability response process, see Vulnerability Response Process.

xFusion PSIRT is dedicated to receiving all vulnerabilities related to xFusion products. To obtain technical support for issues about xFusion products (such as issues regarding product configuration, how to obtain patches, and live-network vulnerability fixing), please send emails to xFusion technical support at support@xfusion.com.

Vulnerability Response Process

Throughout the vulnerability handling process, xFusion PSIRT strictly ensures that vulnerability information is transferred only between relevant handlers. We sincerely request you to keep the information confidential until a complete solution is available to our customers.

Vulnerability Awareness
xFusion PSIRT receives and collects suspected vulnerabilities in products and responds to the reporters within seven natural days.
Vulnerability Validation &
Assessment
According to the Common Vulnerability Scoring System V3.0 (CVSSv3), xFusion PSIRT analyzes and validates the vulnerability and assesses its severity based on its actual impact on product security.
Vulnerability Remediation
xFusion PSIRT develops and implements vulnerability mitigation measures and remediation solutions (including product versions or patches) according to corresponding internal processes.
Vulnerability Disclosure
After mitigation measures and remediation solutions are released, xFusion PSIRT releases the vulnerability information to stakeholders and helps customers assess the actual risks of vulnerabilities to their networks.
Close-Loop Maintenance Activities
After vulnerability disclosure, xFusion PSIRT monitors the effectiveness of the remediation solutions, and provides patches/upgrade packages based on customers' comments and suggestions and internal evaluation if necessary.

We release vulnerability information and remediation solutions in the following publications:

Security Notice (SN):An SN quickly responds to public topics on product security or suspected vulnerabilities that are disclosed or to be disclosed
Security Advisory (SA):An SA informs about the remediation, containing information such as the vulnerability severity, service impact, and remediation. Vulnerabilities directly related to xFusion products and the corresponding remediation solutions are released via SAs.
Release Note (RN):As part of the deliverables released with a product version or patch, an RN contains information about patched vulnerabilities.

xFusion uses the Common Vulnerability and Exposures (CVE) to quote vulnerability information beyond the xFusion vulnerability disclosure web page. xFusion PSIRT releases SAs immediately or regularly (on every Wednesday).