Intelex PSIRT Policy

Overview

The Product Security Incident Response Team (PSIRT) is a dedicated global team responsible for receiving, investigating, and reporting on security vulnerability information pertaining to Intelex services, products, and networks.

Reporting

PSIRT offers a single point of contact and a uniform process for customers, partners, penetration testers, and security researchers to report security vulnerabilities discovered in Intelex services, products, and networks. PSIRT encourages the external security community to disclose security issues privately and responsibly, thereby minimizing risk to customers and the brand.

Vulnerability Classification

We adhere to industry standards by utilizing common ratings of vulnerabilities through the Common Vulnerability Scoring System (CVSS) and Common Vulnerability Exposure (CVE), providing clarity on the severity of a specific vulnerability. Additionally, we implement the vulnerability management processes as described in the NIST Cybersecurity Framework and the Cloud Security Alliance (CSA).

Vulnerability triage stages are as follows:

PSIRT Services Framework

  • Identify: Security issues are reported and verified against the general PSIRT intake process, submission guidelines, eligibility criteria, and program exclusions. Submissions that do not meet these criteria will be denied. For those that meet the requirements, the PSIRT team will acknowledge the submission and send confirmation.
  • Triage: When a potential vulnerability is reproducible, the Intelex PSIRT proceeds with the remainder of the PSIRT process. The Intelex Priority Rating System is a guideline to help our customers in managed environments prioritize security updates. We base our priority rankings on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that are in place.

The definitions of the priority ratings are:

Rating
Definition
Priority 1
A vulnerability or other issue in a production system(s) could expose customer data or other classified information, such as source code. Examples: remote code execution, SQL injection, broken authentication/authorization process, etc.
Priority 2
A vulnerability or other issue in a production system(s) that could lead to significant adverse effects, such as the unavailability of the Intelex system. Examples: denial of service
Priority 3
A vulnerability or other issue in a production system(s) could lead to minor effects in the Intelex system. Examples: self XSS, information disclosure via error messages
Priority 4
A vulnerability or other issue in a production system(s) that has no immediate effects on the Intelex system. Examples: disclosure of web server version, formula injection in CSV files

If the vulnerability cannot be reproduced or does not affect an Intelex product, the PSIRT team informs the reporter and closes the case.

  • Analyze: Intelex employs the most current versions of vulnerability ratings, such as the CVSS and CVE, to ensure adherence to best industry practices and shared understanding. CVSS scores range from 0 (lowest severity) to 10.0 (most critical severity). CVSS is broken down into three metric groups – Base, Temporal, and Environmental. Intelex only uses the Base Metrics to score vulnerabilities, which is referred to as the “Base Score.” Intelex only publishes the CVSS Base Score at this time.

CVSS uses the Severity Categories and Base Scores as shown below:

CVSS Severity Categories
CVSS Base Score
CRITICAL
9.0-10.0
HIGH
7.0-8.9
MEDIUM
4.0-6.9
LOW
0.0-3.9
  • Coordinate: Upon confirmation of a vulnerability, the PSIRT team initiates processes to engage with internal stakeholders, ensuring awareness and assistance during incidents.
  • Remediate: Remediation is prioritized based on CVSS scores, complexity, affected versions, likelihood of risk, and impact. A team is assigned, and an estimated timeline is communicated to the reporter, although this may change if further information is uncovered. The PSIRT team ensures appropriate communication is provided with justification and updated timelines.
  • Notify: Remediation may be in the form of a new release, a security update, instructions to download and install an update or patch from a third party, or a workaround to mitigate the vulnerability. PSIRT publishes public vulnerability disclosures through Security Advisories once the NDA disclosure is complete. The advisories include a summary of the vulnerability, details (including CVE identifier and CVSS information), affected products and versions, recommendations for customers, and acknowledgments to the reporter or coordinator, with permission, during public disclosure. PSIRT limits the details provided in advisories to ensure data protection.

Stakeholder Coordination

In support of coordinated disclosure, Intelex will collaborate with reporters acting in good faith. Before disclosing vulnerabilities,  reporters will wait until a fix is available or a reasonable amount of time has passed since notification.

  • Improve: As part of the Fortive organization, Intelex is dedicated to providing top industry devices and products, following a secure development lifecycle with the Fortive Business System at its core. This drives growth and innovation, ensures the safety of lifesaving products and technologies, and scales success through continuous improvement. The team has robust tracking and internal communication mechanisms to deliver secure solutions alongside the PSIRT team.

All aspects of the Intelex PSIRT process and policies are subject to change without notice and are evaluated on a case-by-case basis. There is no guaranteed response for any specific issue or class of vulnerabilities. Intelex reserves the right to modify or update this document without notice at any time.

Submission guidelines

Your submission will be reviewed and validated by a PSIRT member.

Submit Vulnerability by using the form linked below.

Vulnerability submission best practices:

  • If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely
  • When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate
  • DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques
  • DO NOT cause a potential or actual denial of service of Intelex applications and systems
  • DO NOT use an exploit to view data without authorization or cause corruption of data
  • DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder

Submission Requirements

PSIRT reserves the right to decline an identified vulnerability—at any time or stage—if it does not meet the requirements below.  In such cases, an appropriate communication will be sent directly to the applicable reporter.

  • Submission guidelines are met 
  • Program exclusions are not violated
  • Ineligible participants guidelines are met

Vulnerability Submission Form

"*" indicates required fields

Name*
Country
Agree to Privacy Policy