Vulnerability Disclosure Policy

Commend International requires that all researchers:

• Respect the privacy and security of others
• Respect the clearly defined scope 
• Ensure that any testing is legal and authorized
• Make reasonable efforts to contact the security team of Commend International
• Provide sufficient information to enable us to reproduce and verify the identified vulnerability

Commend International provides to all researchers:

• Contact address to report vulnerabilities
• Respond to reports in a reasonable timeline
• Clearly defined scope for our product portfolio
• Not to pursue any legal actions related to your research
• Open and respectful communication with all researchers
• Publish Commend Security Advisories (CSA) and change logs
• Offer acknowledgement within published Commend Security Advisory

Commend International appreciates all efforts of security researchers that support us with detailed information about security vulnerabilities within our products and services. It is essential to us to have sufficient details in the initial report such that we are able to understand the full impact of the reported vulnerability. Our security team is pleased to verify and reproduce the reported vulnerability in a reasonable timeline. Hence, we will respond within 15 days.

Initial report should include:

• Sufficient details of the vulnerability to allow it to be understood and reproduced
• Expected impact of the vulnerability
• Proof of concept code, script, screenshot (if available)
• Any reference or further reading that may be appropriate (if available)
• Recommendation on how the issue could be mitigated or resolved (if available)

Commend International takes the security of our systems seriously. A coordinated disclosure process is required to protect our customers from any threat actors. A vulnerability report is the starting point. This action creates internally a security issue ticket which will be reviewed by our security team. The initial review results in a first draft impact analysis which concludes in a severity level according to the Common Vulnerability Scoring System (CVSS). Our Security Board members will define the next steps for each reported vulnerability. After that we contact the security researcher again and inform about the remediation plan, possible counter measures or workarounds. Although this may be enough for an easy fix, there are more complex vulnerabilities that require an ongoing discussion for clarification between our security team, the involved developers and the reporting security researcher. We appreciate an open and respectful communication as well as recommendations on how the issue could be mitigated or resolved. Our goal is to prioritize the fix of a critical or high rated vulnerability in a reasonable time by a security patch or if this is not feasible within the next official release. As a final response step the timeline for publishing a Commend Security Advisory (CSA) will be communicated. Hence, we try to fix a reported vulnerability and publish the information within 90 days.

All customers and security researchers are encouraged to register to our Commend Security Advisory Program:

https://clibrary-online.commend.com/en/cyber-security/security-advisories.html

This is the content of a published Commend Security Advisory:

• Summary of vulnerability notification
• Affected products
• Software updates
• Workaround or mitigation
• Exploitation and public announcements
• Acknowledgement
• Sources
• Contact and coordinated disclosure
• Change log

• Symphony Cloud Services 
  https://commend.services 
• Symphony VirtuoSIS Servers 
• Symphony Devices
• Commend Studio

support@no spamcommend.com

COMMEND INTERNATIONAL GMBH
Saalachstraße 51
5020 Salzburg, Austria