ConnectLife vulnerability notification page
This page contains the data related to identified security vulnerabilities related to the ConnectLife with additional information on how to address them.
No records at this time
For any identified vulnerabilities or in case of any potential vulnerabilities you have identified, please notify us via email firstname.lastname@example.org
In case of submitting such email, please provide with at least the requested set of data in the email:
- Your organization and contact information
- Products and version affected
- Description of potential vulnerability
- Additional information related to the potential vulnerability (system configuration, steps to reproduce the issue)
- Information about known exploits
- Disclosure plans, if any
Vulnerability management process
During the identification stage all vulnerability are gathered by Privacy and Security Office and are managed immediately upon request. The reaction time, including also the feedback to the incident reporting person, is defined as 2 days excluding weekends and holydays. The evaluation is performed by Risk Management department in cooperation with R’n’D department and IT department. Also the treatment of security vulnerability step is performed by R’n’D and IT department, while the Risk Management department is monitoring to ensure the measured defined would reduce the risk level to the acceptable risk level. The risks assessed are classified as Very low, Low, Moderate, High or Critical.
Based on the risk assessment method used the risks scenarios defined are:
- Tolerate – the vulnerability is assessed as low risk and the service / product can still operate regardless with no or limited impact,
- Treat – additional measured will be defined to be used as additional security controls to ensure and provide a safe enough environment,
- Transfer – the functionality in question and the vulnerabilities are transferred (either the product/service will no longer be used in such way, either the vulnerable part will be managed by a third party providing adequate level of security or reduced risk),
- Terminate – the vulnerability will be addressed in a way the manifestation of the vulnerability will no longer be possible – the vulnerability will be terminated
The vulnerability treatment stage is performed by our R’n’D and IT team. As the vulnerability is reported the activities focused towards addressing the vulnerability are started without and further delays.
As the vulnerability remediation is defined, tested and approved during the treatment stage, our PR office prepares the notification for the reporting purposes. Technical team is also included to the notification definition, providing the remediation will have the expected effect.
ConnectLife LLC uses two way of communication in order to disclose security vulnerabilities:
- A security advice - a notification forwarded to customer care organizations where relevant information about the vulnerability is present (vulnerability description, severity level, impact the vulnerability might have on services and remediation needed to address the vulnerability). This set of information is provided to the customer care organizations and communicated to the public in order to provide support in risk-based decision making to the end customer.
- A security notice – a notice used to rapidly respond to the vulnerability identified. The notice is published to our website along with the set of clear instructions on how to remediate the vulnerability.
In case of a security notice this may also be communicated to our customers with registered accounts via electronic email.
All notifications are prepared regularly and published on our website. The website content regarding the vulnerabilities is refreshed on weekly basics.
Report receipt will be confirmed within 1 business day and a preliminary assessment will take place. Within 3 business days assessments will be complete and the vulnerability will be fixed or will have a remediation plan in place.
Critical risk vulnerabilities will be fixed within 3 business days.
High and medium risk vulnerabilities will be fixed within 30 business days.
Low risk vulnerabilities will be fixed within 180 business days.
Note, some vulnerabilities are subject to environmental or hardware restrictions. Final remediation time will be determined according to the real-world situation.