Security Incident Response Protocol
At Wibu-Systems, security is our first and foremost priority. We are acutely aware of the need to integrate the most stringent quality and security standards into our products. While we strive for perfection, we also recognize that even the slightest of irregularities, bugs, or misconfigurations can have serious consequences. It is for these rare occurrences that we have created a Security Incident Response Team and a critical response protocol to address issues as swiftly and transparently as possible.
Following is a general overview of our Security Incident Response Protocol:
If a client or user of Wibu-Systems believes that they have identified a critical bug, they are encouraged to contact our support team
directly by email to firstname.lastname@example.org or by logging into our Incident Management System at support.wibu.com (a separate category is included for ‘Security Incidents’). If this category is selected, a response time of two hours is applied in the system, irrespective of the service level for the reporting client. This approach ensures that the ticket is reviewed by a qualified member of our support staff as quickly as possible, who then checks whether the input data is complete and actionable.
Scoring by CVSS
The ticket is then passed on to our dedicated Security Incident Response Team, which includes three security experts working in our Corporate Technology unit. They have a standardized process for assessing the reported incident and preparing an initial scoring, using the industry standard CVSS (Common Vulnerability Scoring System). This means that a score between 0.0 and 10.0 is calculated to designate whether the incident implies minor or high vulnerability. Additional information is also recorded to help other security specialists understand immediately what is at stake and which corrective action needs to be taken for the system(s) affected.
The scoring is reported back to and, if need be, coordinated with the original user. As in all scoring processes, feedback from all participants is considered.
If the check confirms that the reported incident is a critical problem, special tags are set in our software development tracking system. Depending on the severity of the vulnerability, the problem is typically resolved with an ad-hoc bug-fix release or with the scheduled next release of the software as part of the regular development process. The Security Incident Response Team along with the relevant product and development managers and key executives as needed are all involved in the decision-making process.
This protocol guarantees that we are able to respond as quickly as possible and deliver the appropriate solutions for all of our clients and users. We truly believe that an honest and transparent response to security incidents like this is always the right choice.
KEYnote 37 – Edition Spring 2019