Vulnerability Handling Guidelines

Prev Next

The security team called SEGI9 at Segura® Platform looks for and proactively responds to security vulnerabilities reported in Segura® products and their components.

This team works with members of the security community, security companies, external security audits, and external customer and end-user security teams.

Segura® Platform is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation.

Reporting a Potential Security Vulnerability

If you have discovered any potential security vulnerability in a Segura® product, don't hesitate to contact the SEGi9 team at [email protected]. It is essential to include the following details:

  • The products and versions affected
  • Date of the last update
  • A detailed description of the vulnerability
  • Information on how to exploit the reported issue.

Vulnerability information is extremely sensitive. We strongly recommend that you encrypt all security vulnerability reports using the CVE Segura® PGP key below:

CVE Segura® PGP key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfsnxfQiPZxBRHfG55UTX0vY/omPIojBVWQ0C2o0bXDXzUjOj6/8A3sZMRNOIDSTwCmWZxERQ5nmc7cWOF3/i+Pv5fdz8I20a+Mxhs+XoE2SHdOnF5IsRAFrdKObnA/THRZOdHT4aUzsekoDynKlUAmws2Rz3Fz8xx6El4+DJclGPkqd0N/5uTj9DpBt5ywJQS8YBF0Fgp2iCSHJPPymrZC5ZkBHO+WkdJGBjfDFKVdEfeSxiSU/11KQfcpyaMbSqhVb6jOcmb0ENBaKzilObzaRPKrorsw2yTscTebEcmUqqbWRXfEfkWzWEMOZwg/ytC46n6TN+imrWy7XlscOwmlS7CWdLft48TCGX/6zuMNPp/IDAssQa5NOA0i8z9cDKJAyaWoCO9PXHmwSWfeRxcnpuRiw8FE7JVsbMugDN3DMqsyXgT/6/apvais611YZ86ZSDz+na7WYwGWhiKkS8/DvapTnReuPZxTFYts65sGkyLcbWhY7wv7OJBC+raHeEvyac9SdS8uumv7dHyoA6DaQp+JwDhMNXZrcsneRolQ+rjRCpiqrpEB40wyaRrPvC6gADQ1ShL+LGs4jedxhEengOQoMBrwR5HFtJDGriuU7NAtKu2iUsb19psweMmZDBYNfU5uSNf+kpY5Og84v5wLxOc+E2pHo7nwxmZR2UzOQ== [email protected]

Publication of Security Information

The Segura® Platform publishes one type of security information at the Segura® Product Security Center.

Security Advisories

Provide information about security vulnerabilities identified with Segura® products, including fixes, workarounds, or other actions.

Vulnerability Handling Process

Security vulnerabilities in Segura® products are actively managed through a well-defined process. The time to respond varies based on the scope of the issue. The process consists of 4 key steps reporting, evaluation, solution, and communication. Each step is described below:

Reporting

The process begins when the SEGi9 team becomes aware of a potential security vulnerability in Segura® products. The reporter receives an acknowledgment and updates throughout the handling process.

Evaluation

The SEGi9 team confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a priority. A special technical squad is created to analyze and fix the issue if the vulnerability is fully or partially confirmed on the stable version. This squad is multipurpose with developers, security analysts, product analysts, and quality analysts.

Solution

After the issue is fixed, the security patch will be inserted into the unstable version and handed over to the quality team to test and approve the modification.

In cases where a vulnerability is being actively exploited with high risk, Segura® Platform will deliver a patch directly to all versions of Segura®.

Communication

The Segura® Platform publishes a security advisory for severe issues. Less severe cases are communicated through other methods. Advisories are posted at the Segura® Product Security Center and released simultaneously to all customers.

Bug Bounty Program

Our Bug Bounty Program is designed to encourage security researchers, ethical hackers, and technology experts worldwide to collaborate in continuously improving the security of our products and services. We value the security of our users and believe the global community plays a crucial role in identifying vulnerabilities that could compromise the integrity of our systems.

We invite you, as a researcher, to help us find security vulnerabilities in our websites, applications, and security solutions. In return, we offer financial rewards based on the severity and impact of the reported vulnerability.

How it works

  1. Potential Vulnerability: Submit a potential vulnerability following the guidelines in “Reporting a Potential Security Vulnerability”.
  2. Analysis by Our Security Team: Our security team will carefully analyze each submission. If the issue is validated and considered outside of internal knowledge, it will qualify for a reward.
  3. Rewards Based on Severity: The reporter will be rewarded according to the severity classification of the discovered vulnerability.

Scope definition

The scope of this Bug Bounty Program is limited to technical security vulnerabilities that result in a direct and demonstrable impact on at least one of the following security principles:

  • Confidentiality – Unauthorized access to sensitive data, credentials, secrets, or protected information.
  • Integrity – Unauthorized modification, corruption, or manipulation of data, configurations, or system behavior.
  • Availability – Disruption, degradation, or denial of access to systems, services, or functionality.

Only vulnerabilities that clearly impact one or more of these principles are considered in scope and eligible for rewards.

Out of Scope

Any finding that does not demonstrate a direct, reproducible, and exploitable impact on Confidentiality, Integrity, or Availability will be considered out of scope.

This includes, but is not limited to:

  • Missing security configurations;
  • Hardening recommendations;
  • Best practice gaps that cannot be weaponized into a working exploit.

Findings that rely solely on automated scanner output, theoretical attack paths, or unlikely conditions without a clear and demonstrable proof of concept will not be accepted.

A vulnerability is considered valid only when it can be shown to cause real harm to a user, system, or dataset under realistic conditions. If a finding requires an unrealistic chain of assumptions, negligible impact, or cannot be reliably reproduced, it will not qualify for a reward, regardless of its technical accuracy.

Examples for Out-of-Scope

The following types of findings are not eligible unless accompanied by a working proof of concept demonstrating real impact on Confidentiality, Integrity, or Availability:

  • Missing security best practices – Includes absent headers (for example, CSP or HSTS), weak SSL/TLS configurations, or missing cookie flags, without demonstrated exploitability.
  • Informational or theoretical issues – Findings without a clear, practical attack scenario or real-world impact.
  • Automated or low-value findings – Scanner-only reports, version or banner disclosure, or exposed files without sensitive data and with no exploitable path.
  • Enumeration and missing rate limiting – Unless directly leading to a proven credential attack or account takeover.
  • Unrealistic user interaction requirements – Issues that depend on unlikely user behavior, excessive negligence, or unrealistic scenarios without a practical exploitation path.
  • Disruptive denial-of-service testing – Reports based on DoS techniques that require service disruption or negatively impact availability without a safe and reproducible proof of impact.

Classification and Rewards

Low Severity

  • Description: Vulnerabilities with limited impact, affecting only a few users or requiring specific conditions to be exploited. These flaws typically do not directly compromise security but may pose minor risks or inconveniences for users.
  • Reward: U$ 100,00

Medium Severity

  • Description: These vulnerabilities can be exploited under certain conditions and impact confidentiality, integrity, or availability more significantly but do not lead to full compromise of the system or critical data.
  • Reward: U$ 250,00

High Severity

  • Description: These vulnerabilities represent a critical risk to the system and its users, as they can result in complete control over systems, theft of sensitive data, or severe service disruption.
  • Reward: U$ 500,00

Terms and Conditions

  • Participants must comply with local and international laws.
  • The use of exploitation techniques that disrupt services or harm users is prohibited.
  • Any action violating our terms of use may disqualify the participant from the program.
Segura® Solution Testing Policy

All security testing or vulnerability assessments of Segura® Solution software may be performed only with explicit authorization and invitation from Segura® Platform, provided that the party performing such activities agrees to fully comply with and respect all applicable Segura® Terms of Use.

Any unauthorized testing, probing, or scanning of Segura® products, systems, or services is strictly prohibited and may result in legal action. This policy protects the security, stability, and privacy of our customers’ environments and preserves the integrity of our products.

We are committed to working together with the security community to ensure our solutions provide the highest level of protection for our clients and users worldwide. Together, we can build a safer digital environment. For more information, see: End-User License Agreement | Segura®

Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
Connect With Us
SEGURA
LEARN
EXPLORE
Copyright © Segura. All Rights Reserved