Vulnerability Handling Guidelines
The security team called SEGI9 at senhasegura looks for and proactively responds to security vulnerabilities reported in senhasegura products and their components.
This team works with members of the security community, security companies, external security audits, and external customer and end-user security teams.
senhasegura is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation.
Reporting a Potential Security Vulnerability
If you have discovered any potential security vulnerability in a senhasegura product, please contact the SEGi9 team at firstname.lastname@example.org. It is really important to include the following details:
- The products and versions affected
- Date of the last update
- Detailed description of the vulnerability
- Information on how to exploit the reported issue.
Vulnerability information is extremely sensitive. We strongly recommend that you encrypt all security vulnerability reports using the CVE senhasegura PGP key below:
CVE senhasegura PGP key
Publication of Security Information
The senhasegura publishes one type of security information at the senhasegura Product Security Center.
Provide information about security vulnerabilities identified with senhasegura products, including any fixes, workarounds, or other actions.
Vulnerability Handling Process
Security vulnerabilities in senhasegura products are actively managed through a well-defined process. The time to respond varies based on the scope of the issue. The process consists of 4 key steps reporting, evaluation, solution, and communication. Each step is described below:
The process begins when the SEGi9 team becomes aware of a potential security vulnerability in senhasegura products. The reporter receives an acknowledgment and updates throughout the handling process.
SEGi9 team confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a priority. If the vulnerability is fully or partially confirmed on the stable version, a special technical squad is created to analyze and fix the issue. This squad is multipurpose with developers, security analysts, product analysts, and quality analysts.
After the issue is fixed, the security patch will be inserted into the unstable version and handed over to the quality team to test and approve the modification.
In cases where a vulnerability is being actively exploited with high risk, senhasegura will deliver a patch directly to all versions of senhasegura.
The senhasegura publishes a security advisory for severe issues. Less severe cases are communicated through other methods. Advisories are posted at the senhasegura Product Security Center and released simultaneously to all customers.