NetMotion Security Disclosure Policy and Process
As a market-leading vendor of security solutions, NetMotion is dedicated to the pursuit of security excellence throughout the product lifecycle. This document describes how we respond to reports of security vulnerabilities in our products.
NetMotion is interested in learning about all real and perceived vulnerabilities in our software, whether currently supported or in an end-of-development, end-of-sale, or end-of-support phase.
Not all vulnerability reports made to us will be responded to in the same way. Responses to vulnerabilities that are considered ‘In Scope’ will follow the processes outlined here. Responses to vulnerabilities that are considered ‘Out of Scope’ will be addressed on a case-by-case basis.
The following types of vulnerabilities are in-scope for the purposes of our security response processes.
- Vulnerabilities in our server, client, and cloud solutions in versions that have been commercially released and are currently supported.
- Vulnerabilities in our implementations of third-party technologies as implemented in commercially released versions of our products. In some cases, NetMotion leverages third-party technologies in limited ways to implement our solutions. Vulnerabilities in our implementation of these technologies are in-scope.
- All vulnerabilities in products or product versions that have been commercially released and have reached end of development, sale, or support.
Out of Scope
We are interested in learning about all vulnerabilities, but the following types of vulnerabilities are out of scope for purposes of our security response processes.
- Vulnerabilities in a supported commercial operating system or other elements of the operating environment such as the authentication infrastructure. Our expectation is that users will keep up to date on patches and retire elements of their operating environments that are end-of-life and are no longer being updated or patched by the vendor.
- Vulnerabilities in generic implementations of technologies we implement. In some cases, NetMotion leverages third-party technologies in limited ways to implement our solutions. Vulnerabilities in generic implementations of third-party technologies are out of scope unless we determine that the vulnerability exists in our implementation.
- Vulnerabilities that are only exploitable if someone intentionally misconfigures, insecurely configures, or insecurely deploys our products.
- Vulnerabilities in network functions on which a fully integrated NetMotion solution relies. An example of this might be a third-party authentication infrastructure vulnerability or an otherwise compromised operating system; vulnerabilities of this nature would be out of scope unless we determine that the vulnerability can be exploited in our implementation.
- Vulnerabilities in pre-release or developer builds such as alpha or beta. Occasionally we provide limited access to pre-release software. While we encourage the reporting of vulnerabilities in pre-release software, vulnerabilities specific to pre-release software are out of scope for the purposes of our security response.
Reporting a vulnerability in NetMotion’s products
The fastest way to notify NetMotion of a potential vulnerability in one of our products is to contact our support team and inform them that you believe there is a vulnerability. Information for contacting support can be found on our website at https://www.netmotionsoftware.com/support. It is not necessary to have an active support contract to inform us of a vulnerability in our products.
Alternately, you can send an email to securityresponse@NetMotionSoftware.com. This mailbox is actively monitored. While many NetMotion employees are active on social media, our security teams do not specifically monitor Twitter, Facebook, or other social media outlets for vulnerability reports.
NetMotion adheres to the practice of responsible disclosure where the time between reporting a vulnerability and disclosure of that vulnerability in a public forum such as the CVE database allows for the release of a patch, notification of the affected customers, and time for affected customers to deploy the patch. NetMotion is pleased to publicly acknowledge the efforts of security analysts who contact us and follow this policy in our notifications and on our web site.
NetMotion follows the general classifications of vulnerabilities as described in the Common Vulnerability Scoring System (CVSS version 3.1, https://www.first.org/cvss/). CVSS classifies vulnerabilities into severity tiers by score – None (0.0), Low (0.1 – 3.9), Medium (4.0 – 6.9), High (7.0 – 8.9), and Critical (9.0 – 10.0). In general, defects are resolved in the most current version of NetMotion products. Our responses to in-scope vulnerabilities follow these general guidelines.
|Severity||When / How we fix||Letting Customers Know|
|Critical and High||Make fix available for customers in the current version of the product ASAP.||Notification to all current and former customers, update posted to security notification page|
|Medium||Make fix available for customers in the current version of the product as part of the next scheduled maintenance release.||Notification to current customers, update posted to security notification page|
|Low||Make fix available as soon as is practical. These are typically addressed in scheduled feature releases for current versions of the product.||Updates to the KARI ( Known and Resolved Issues) page.|
In general, we strive to disclose vulnerabilities to the CVE database within 90 days of confirming that a vulnerability exists and is in scope (see Scope) for a supported product. If we anticipate the creation, test, release, customer notification and adoption cycles will take more than 90 days, we commit to working with security analysts in good faith to protect our users and ensure that vulnerabilities in NetMotion products are disclosed and managed in a fair and open manner.
Past reports of vulnerabilities in NetMotion’s products are listed here.
Bug Bounty Program
NetMotion offers a bug bounty for in-scope issues that are reported to us under the precepts of responsible disclosure and following the outline of this policy document. Claims must be accompanied by exploit code and must be made against the current shipping version of a supported product. Multiple methods for exploiting the same underlying issue will count as one issue. Payouts will be issued to the first reporter when the vulnerability is publicly disclosed. Security analysts who report through a third party can recover their bounty from that third party.
Payout amounts are as follows:
|Severity||Expected Payout in USD|
|CVSS Critical||$3,500 – $4,500|
|CVSS High||$2,000 – $3,500|
All aspects of the NetMotion Security Disclosure Process and Policy are subject to change without notice at any time. While we strive to acknowledge all submissions, a response is not guaranteed for any specific issue or class of issues. Your use of the information on the policy or materials linked from the policy is at your own risk.
We encourage security researchers to report their findings to us without fear of legal consequences. NetMotion Software does not intend to engage in legal action against any researcher who has 1) performed and reported research according to current best practices for conducting and reporting that research and 2) who is adhering to the precepts of responsible disclosure. Security researchers must make good faith efforts to avoid violating any law and avoid any action that could negatively impact the confidentiality, integrity or availability of information and systems of either NetMotion Software or its customers.