Gordian PSIRT Policy

Overview

The Gordian PSIRT team is responsible for maintaining security standards for Gordian products by assessing and minimizing customer risk associated with security vulnerabilities by providing timely information, guidance and remediation for vulnerabilities in our products. The Gordian global PSIRT team manages the receipt, investigation, remediation and public reporting or information about security vulnerabilities related to Gordian products. Key responsibilities of the Gordian PSIRT team are to intake, triage, respond to and disclose externally identified vulnerabilities in Gordian products.

Reporting

Gordian welcomes reports of potential product vulnerabilities from independent researchers, industry organizations, vendors, customers and others concerned with product security.

To report a potential vulnerability, please use the Report a Potential Vulnerability form below.

Escalation Procedures

Gordian offers a clear and easily accessible reporting channel via a secure contact form on the Report a Vulnerability page. Each form submission generates a ticket which is reviewed by a member of our PSIRT team.

Responsible disclosure reports will receive an automatic response indicating that we have received their submission. A member of our PSIRT team will reach out to the reporter with the vulnerability verification results.

Time to remediation is determined by the vulnerabilities’ priority level; please see Incident Classification below. Public disclosure of a Gordian vulnerability may be disclosed within the product release notes.

Vulnerability Classification

Gordian follows NIST standards available here: https://nvd.nist.gov/vuln-metrics/cvss.

PSIRT Vulnerability Management Process

The vulnerability management process is a systematic approach to identifying, assessing, prioritizing and addressing vulnerabilities within Gordian applications. It involves a series of activities aimed at reducing the risk posed by vulnerabilities and ensuring the overall security of our organization’s offered products.

Vulnerability triage steps are as follows:

1. Intake: Receive vulnerability report and acknowledge receipt.
2. Analysis: Identify vulnerability from internal source and verify the report. Verify the vulnerability.
3. Feedback: Inform reporter of vulnerability verification status.
4. Remediation: Develop and deploy remediation.
5. Disclosure: Publish advisory within release notes. Engage in post-remediation activities.

Vulnerability Management

Gordian takes security concerns seriously and prioritizes their prompt evaluation and approach. Response timelines will depend on a number of factors including the severity and impact, specific product or feature affected, the current product development cycle and the technical requirements needed to properly address the concern or issue. Remediation may include any of the following actions:

a. A new product release
b. A Gordian security update
c. Third-party-directed update installation or patch
d. Other procedural approach to mitigate the vulnerability or concern

Gordian is dedicated to the prompt resolution of all potential or actual security vulnerabilities but does not guarantee any specific remediation or resolution for reported concerns.

Coordination with Stakeholders

In addition to the Gordian PSIRT team outlined above, Gordian may employ commercial incident investigation firms if necessary to properly address any given issue.

PSIRT team communication tools include those approved for corporate use for widespread communication within Gordian and for the project and task tracking of engineers. This is how Gordian will disseminate information to appropriate stakeholders.

Report a Potential Vulnerability

To report a vulnerability, please fill out the form below. We aspire to respond to researchers within 72 hours regarding the status of the potential finding. We appreciate your patience and dedication to improving the security of products at Gordian.