Overview
Overview
The ServiceChannel PSIRT team is responsible for maintaining security standards for ServiceChannel products by assessing and minimizing customers’ risk associated with security vulnerabilities by providing timely information, guidance, and remediation for vulnerabilities in our products. The ServiceChannel global PSIRT team manages the receipt, investigation, remediation, and public reporting or information about security vulnerabilities related to ServiceChannel products. Key responsibilities of the ServiceChannel PSIRT team are to intake, triage, respond and disclose of externally identified vulnerabilities in ServiceChannel products.
Definitions
Reporting
ServiceChannel welcomes reports of potential product vulnerabilities from independent researchers, industry organizations, vendors, customers, and others concerned with product security.
Escalation Procedures
ServiceChannel offers a clear and easily accessible reporting channel via a secure contact form on the Report a Vulnerability page. Each form submission generates a ticket which is reviewed by a member of our PSIRT team.
Responsible disclosure reports will receive an automatic response indicating that we have received their submission. A member of our PSIRT team will reach out to the reporter with the vulnerability verification results.
Time to remediation is determined by the vulnerabilities’ priority level; please see Incident Classification below. Public disclosure of a ServiceChannel vulnerability may be disclosed within the product release notes.
Vulnerability Classification
Priority levels can be further explained by the tables below.
Very High I = 4
Medium 4
High 8
Critical 12
Critical 16
High I = 3
Low 3
Medium 6
High 9
Critical 12
Medium I = 2
Low 2
Medium 4
Medium 6
High 8
Low I = 1
Low 1
Low 2
Low 3
Medium 4
Rare P(x) = 1
Unlikely P(x) = 2
Possible P(x) = 3
Probable P(x) = 4
Critical
10+
9.0 -10.0
High
7 — 9
7.0 — 8.9
Medium
4 — 6
4.0 — 6.9
Low
0 — 3
0.1 — 3.9
None
N/A
"0"
3.8 PSIRT Vulnerability Management Process
The vulnerability management process is a systematic approach to identifying, assessing, prioritizing, and addressing vulnerabilities within ServiceChannel applications. It involves a series of activities aimed at reducing the risk posed by vulnerabilities and ensuring the overall security of our organizations offered products.
Vulnerability triage steps are as follows:
Vulnerability Management
The aspired response time for initial contact from a PSIRT member to a vulnerability reporter is 72 hours. Follow-up communications may occur between the time of positive vulnerability validation and vulnerability disclosure within product release notes.
"ServiceChannel takes security concerns seriously and prioritizes their prompt evaluation and approach. Response timelines will depend on a number of factors including the severity and impact, specific product or feature affected, the current product development cycle, and the technical requirements needed to properly address the concern or issue. Remediation may include any of the following actions:"
ServiceChannel is dedicated to the prompt resolution of all potential or actual security vulnerabilities, but does not guarantee any specific remediation or resolution for reported concerns.
Coordination with Stakeholders
In addition to the ServiceChannel PSIRT team outlined above, ServiceChannel may employ commercial incident investigation firms if necessary to properly address any given issue.
PSIRT team communication tools include those approved for corporate use for widespread communication within ServiceChannel and for the project and task tracking of engineers. This is how ServiceChannel will disseminate information to appropriate stakeholders.
Report a Potential Vulnerability
To report a vulnerability, please fill out the form below. We aspire to respond to researchers within 72 hours regarding the status of the potential finding. We appreciate your patience and dedication to improving the security of products at ServiceChannel.