Vulnerability Policy
Last updated
Last updated
The EnGenius Product Security Incident Response Team (PSIRT) is responsible for promptly handling any security incidents that affect EnGenius products. This team is a dedicated, global group that oversees the receipt, investigation, and public reporting of information about any security vulnerabilities or issues that are related to EnGenius products and networks. EnGenius defines a security vulnerability as a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, can have a negative impact on confidentiality, integrity, or availability. However, EnGenius reserves the right to deviate from this definition under specific circumstances. Additionally, the EnGenius PSIRT adheres to ISO/IEC 29147:2018 guidelines for the disclosure of potential vulnerabilities, as established by the International Organization for Standardization.
We post security advisories on our website at https://docs.engenius.ai/esp to alert our customers to any security vulnerabilities that may be present in our products. Our advisories provide relevant information such as affected versions, worst-case impact, required configurations, available workarounds, fixed versions, CVE IDs, CWE IDs, CVSS scores, and acknowledgments for anyone who discovers the issue. We strive to avoid including any information that may aid attackers in exploiting the vulnerabilities.
To offer personalized support, release review, and upgrade planning assistance to our customers, we inform the EnGenius Focused Services team about any upcoming security advisories whenever possible.
We publish advisories for any critical issues with active exploitation as soon as practical, even if it means publishing them out of cycle.
We do not publish advisories for general security improvements or defensive programming fixes that do not have a proven security impact.
For our SaaS (cloud services) products, we do not publish advisories for vulnerabilities that EnGenius can completely resolve without requiring customer action. We may maintain a maintenance log of resolved vulnerabilities that is updated when issues are resolved.
To maintain the confidentiality of any sensitive non-public information about vulnerabilities, we restrict access to only those individuals who have a legitimate need to know and can contribute to the remediation processes.
To safeguard our customers, we kindly request that you refrain from posting or sharing any information related to a potential vulnerability in any public forum until we have thoroughly investigated, responded to, and resolved the issue, and have notified our customers through a security advisory, if necessary.
For any requests to add signatures to detect or block new or variations of attacks or malware, please contact our customer PSIRT team directly:
If you would like, you may submit your report via email to psirt@engenius.ai. To ensure an additional level of security, we recommend that you encrypt your message using our PGP key.
Response and Remediation Process
Upon receipt of a vulnerability report, we will generally acknowledge it within one business day and provide you with a tracking number. The report will then be analyzed and reproduced by the appropriate product security engineers. Once the problem has been confirmed and understood, our product engineering team will begin working on resolving the issue for all affected and supported releases of the product. The remediations will then be reviewed and verified by our product security engineers.
EnGenius PSIRT manages the complete vulnerability response and remediation process for all EnGenius products. If the remediation of an issue is entirely within our control, we fix our SaaS products (cloud services) within a few hours or days. For our on-premise products that have regular maintenance releases and testing schedules, we ensure complete resolution to the best of our abilities within 90 days for most issues.
We score vulnerabilities using CVSS version 3.1 and consider factors such as active exploitation, customer exposure, and public disclosure timelines to prioritize our response actions for issues.