How to report potential security vulnerabilities for ZPE products

How to report potential security vulnerabilities for ZPE products

You can report potential security vulnerabilities via the PSIRT form or by sending email to psirt@zpesystems.com.  Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 2 business days.  We do not support PGP-encrypted emails. For particularly sensitive information, submit through our the PSIRT form.

When reporting, it is best to include as much detail as possible, including:
  1. Nodegrid OS version(s) the potential vulnerability was detected on
  2. Any CVE or other unique vulnerability identifiers (i.e. security scanner's 'plugin number')
  3. A copy of the scan results; you can redact any hostnames, IPs, or other sensitive data
Though not required, it is ideal to first verify if the vulnerability still exists on the latest version of the code branch in case the vulnerability has already been patched.  Our Engineering team diligently applies security fixes as appropriate to affected code branches that are not EOL.  If a potential vulnerability is identified on an EOL branch, please upgrade to a non-EOL build and re-test.  To determine the latest version in the code branch or see if the branch is EOL, refer to this article: Nodegrid OS support lifecycle policy.

Note that it is possible to get a false positive when security scanning since some are assumed based on a version check for efficiency.  ZPE still greatly appreciates these being reported so we can ensure our product is secure.  Our PSIRT team will gladly investigate and provide feedback if patching is not needed in those rare instances.

    • Related Articles

    • Troubleshoot: "Never connected" status in ZPE Cloud

      This document explains how to troubleshoot "Never connected" issue in ZPE Cloud enrolled devices. Sometimes, after enrolling a device to ZPE Cloud, it shows as Connected and Licensed or Unlicensed on device, but the status in ZPE Cloud is Never ...

    • How to: Enable ZPE Cloud in a Nodegrid device

      ZPE Cloud is a powerful platform that allows you to manage your Nodegrid devices from anywhere in the world. In order to use the benefits of managing your Nodegrid devices through ZPE Cloud, you need to enroll the Nodegrid device to your company and ...

    • How to: Add Devices to your ZPE Cloud company using Customer Code and Enrollment key

      ZPE Cloud is a powerful tool for managing your Nodegrid devices, and one of the recommended methods to add devices to your company in ZPE Cloud is to use the Customer Code and Enrollment key. Customer Code is a unique 5-digit identifier assigned to ...

    • Stencils for ZPE Nodegrid products

      The Nodegrid appliances stencils can be found at ZPE Systems Sharefile under Released Software Download>Stencils. You can download the file 'ZPE Systems.VSSX' which contains all the stencils. If you don't have access to our Sharefile portal, please ...

    • Is Nodegrid OS or ZPE Cloud affected by Apache Log4j vulnerabilities?

      CVE-2021-44228: While ZPE Systems has identified Nodegrid versions v4.2.x, v5.0x, v5.2.x to be possibly affected by the CVE-2021-44228, we could not yet confirm that the systems can be exploited.  Regardless, we released new version to fix such ...