Vulnerability Response
Cloud Software Group is committed to keeping its products and customers secure. Cloud Software Group strives to follow industry standards during all phases of the Secure Development Lifecycle (SDLC). As part of its SDLC program, Cloud Software Group has a robust Security Response Process that accepts vulnerability reports against Cloud Software Group products and services from external sources – customers and researchers alike.
The Cloud Software Group Security Response Team is a dedicated team that is responsible for managing the receipt, verification, and public reporting of information about security vulnerabilities in Cloud Software Group products.
In line with its commitment to adhere to international standard ISO/IEC 29147:2018, all issues reported to Cloud Software Group follow our vulnerability response process:
- Receipt: Upon receiving a vulnerability report, Cloud Software Group will generate a unique case identifier and acknowledge receipt by the end of the next working day.
- Triage: Cloud Software Group will investigate vulnerabilities in Cloud Software Group products and services from the date of release until End of Life. The investigation and verification of issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Throughout the investigative process, Cloud Software Group will work with the reporter to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results are delivered to the reporter along with a plan for resolution and public disclosure, if applicable.
- Variant analysis: Cloud Software Group will perform an in-depth analysis to ensure that similar issues are identified and that any action taken will ultimately address the whole class of issues.
- Resolution: The Cloud Software Group Security Response team will work with Cloud Software Group internal product development teams to address the issue. Timescales for releasing a fix vary according to complexity and severity. Cloud Software Group will provide updates to the researcher as and when progress is made with the vulnerability handling process related to the reported vulnerability.
- Release: When a mitigation or software update is released, Cloud Software Group will provide remediation or mitigation information to users, typically in the form of a security bulletin and software patches or updates. If, during the vulnerability handling process, Cloud Software Group identifies a vulnerability in a third-party product or service, we will endeavor to responsibly disclose this issue and coordinate our public releases.
- Post release: Cloud Software Group will monitor user feedback and, if necessary, update remediation and mitigation information accordingly.
How to Report Vulnerabilities?
Our PSIRT accepts vulnerability reports concerning our products through various channels.
Report Product Security Vulnerability
To submit a vulnerability report, please contact the Product Security Incident Response Team (PSIRT) via email at:secure@cloud.com
For secure transmission of information, you may utilize the Cloud Software Group Public PGP Key.
Bug Bounty Program
Security vulnerabilities will be accepted through our active Bug Bounty Program, Cloud Software Group Bug Bounty Program
To stay informed about security vulnerabilities, update your support notifications to receive future security bulletins by email.
We also recommend that our Citrix customers regularly review and update their organization's security contacts in their Citrix account (www.citrix.com/account)
Pre-notification of Citrix security bulletins
Citrix Security bulletins are published and disclosed to customers and the public simultaneously. However, Citrix provides an advanced notification of upcoming bulletins to a limited group of customers.
When able to do so, Citrix will notify enrolled customers of an upcoming Security bulletin 1-2 weeks prior to the public release date, to aid them in the planning of update activities. The notification will contain the name of the affected product, affected version (major versions only), criticality of the vulnerability and expected date of release.
Pre-notification of upcoming Citrix Security bulletins is available to customers and partners that meet the following criteria:
- Currently using customer-managed Citrix products (i.e., not in Citrix Cloud)
- Have a Citrix Unified Services customer
- Have a Citrix user base of 10,000 or more users OR be managing critical infrastructure. Examples of critical infrastructure include:
- Cloud platform providers
- Service platform provider
- Healthcare-based ISVs
- Financial Services
- Energy Sector
- Government Departments
- Transportation
Customers wishing to be enrolled to the Pre-notification program should contact their Account Technology Specialiast (ATS) who will apply to join the pre-notification program on their behalf.
Customers must sign and return the Citrix pre-disclosure program non-disclosure agreement; the agreement is valid only upon execution by the Citrix Chief Information Security Officer or Chief Digital Risk Officer.
For an overview of the security work and processes that are performed on the Cloud Software Group product line, consult the Cloud Software Group Secure Development Lifecycle document.