How to report potential security vulnerabilities for ZPE products
You can report potential security vulnerabilities via the
PSIRT form or by sending email to
psirt@zpesystems.com.
Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 2 business days. We do not support PGP-encrypted emails. For particularly sensitive information, submit through our the PSIRT form.
When reporting, it is best to include as much detail as possible, including:
- Nodegrid OS version(s) the potential vulnerability was detected on
- Any CVE or other unique vulnerability identifiers (i.e. security scanner's 'plugin number')
- A copy of the scan results; you can redact any hostnames, IPs, or other sensitive data
Though not required, it is ideal to first verify if the vulnerability still exists on the latest version of the code branch in case the vulnerability has already been patched. Our Engineering team diligently applies security fixes as appropriate to affected code branches that are not EOL. If a potential vulnerability is identified on an EOL branch, please upgrade to a non-EOL build and re-test. To determine the latest version in the code branch or see if the branch is EOL, refer to this article:
Nodegrid OS support lifecycle policy.
Note that it is possible to get a false positive when security scanning since some are assumed based on a version check for efficiency. ZPE still greatly appreciates these being reported so we can ensure our product is secure. Our PSIRT team will gladly investigate and provide feedback if patching is not needed in those rare instances.