Tackling vulnerabilities to keep your business running

Cloud Software Group is committed to keeping its products and customers secure. Cloud Software Group strives to follow industry standards during all phases of the Secure Development Lifecycle (SDLC). As part of its SDLC program, Cloud Software Group has a robust Security Response Process that accepts vulnerability reports against Cloud Software Group products and services from external sources – customers and researchers alike.

The Cloud Software Group Security Response Team is a dedicated team that is responsible for managing the receipt, verification, and public reporting of information about security vulnerabilities in Cloud Software Group products.

In line with its commitment to adhere to international standard ISO/IEC 29147:2018, all issues reported to Cloud Software Group follow our vulnerability response process:

Receipt

Upon receiving a vulnerability report, Cloud Software Group will generate a unique case identifier and acknowledge receipt by the end of the next working day.

Triage

Cloud Software Group will investigate vulnerabilities in Cloud Software Group products and services from the date of release until End of Life. The investigation and verification of issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Throughout the investigative process, Cloud Software Group will work with the reporter to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results are delivered to the reporter along with a plan for resolution and public disclosure, if applicable.

Variant analysis

Cloud Software Group will perform an in-depth analysis to ensure that similar issues are identified and that any action taken will ultimately address the whole class of issues.

Resolution

The Cloud Software Group Security Response team will work with Cloud Software Group internal product development teams to address the issue. Timescales for releasing a fix vary according to complexity and severity. Cloud Software Group will provide updates to the researcher as and when there is progress with the vulnerability handling process related to the reported vulnerability.

Release

When a mitigation or software update is released, Cloud Software Group will provide remediation or mitigation information to users, typically in the form of a security bulletin and software patches or updates. If, during the course of the vulnerability handling process, Cloud Software Group identifies a vulnerability in a third-party product or service, we will endeavor to responsibly disclose this issue and coordinate our public releases.

Post release

Cloud Software Group will monitor feedback from users and, if necessary, will update remediation and mitigation information accordingly.

Vulnerability Disclosure

In order to submit a vulnerability report, please reach out to the Product Security Incident Response Team (PSIRT) at: secure@cloud.com

To stay informed about security vulnerabilities, update your support notifications to receive future security bulletins by email or subscribe to the RSS feed.

We also recommend our Citrix customers to review and update their security contacts for their organization in their Citrix account (https://www.citrix.com/account/).