- 1 minute to read
Vulnerability Handling Guidelines
- 1 minute to read
The security team called SEGI9 at senhasegura looks for and proactively responds to security vulnerabilities reported in senhasegura products and their components.
This team works with members of the security community, security companies, external security audits, and external customer and end-user security teams.
senhasegura is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation.
Reporting a Potential Security Vulnerability
If you have discovered any potential security vulnerability in a senhasegura product, don't hesitate to contact the SEGi9 team at [email protected]. It is essential to include the following details:
- The products and versions affected
- Date of the last update
- A detailed description of the vulnerability
- Information on how to exploit the reported issue.
Vulnerability information is extremely sensitive. We strongly recommend that you encrypt all security vulnerability reports using the CVE senhasegura PGP key below:
CVE senhasegura PGP key
Publication of Security Information
The senhasegura publishes one type of security information at the senhasegura Product Security Center.
Provide information about security vulnerabilities identified with senhasegura products, including fixes, workarounds, or other actions.
Vulnerability Handling Process
Security vulnerabilities in senhasegura products are actively managed through a well-defined process. The time to respond varies based on the scope of the issue. The process consists of 4 key steps reporting, evaluation, solution, and communication. Each step is described below:
The process begins when the SEGi9 team becomes aware of a potential security vulnerability in senhasegura products. The reporter receives an acknowledgment and updates throughout the handling process.
The SEGi9 team confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a priority. A special technical squad is created to analyze and fix the issue if the vulnerability is fully or partially confirmed on the stable version. This squad is multipurpose with developers, security analysts, product analysts, and quality analysts.
After the issue is fixed, the security patch will be inserted into the unstable version and handed over to the quality team to test and approve the modification.
In cases where a vulnerability is being actively exploited with high risk, senhasegura will deliver a patch directly to all versions of senhasegura.
The senhasegura publishes a security advisory for severe issues. Less severe cases are communicated through other methods. Advisories are posted at the senhasegura Product Security Center and released simultaneously to all customers.