Security Vulnerability Reporting
ICONICS strives to build products that our customers trust in critical operations in their enterprises. We recognize that our products need to meet the highest standards for security, otherwise customers will not be able to deploy them with confidence. This page documents the ICONICS Security Response Policy and ICONICS’ commitments for resolving possible vulnerabilities in our products so that our customers can be assured that any such issues will be addressed in a timely fashion.
How to Report a Vulnerability
If you believe you have discovered a security vulnerability in an ICONICS product, we encourage you to either:
Submit a Form Report
Submit the information on the potential security vulnerability using our form provided below.
Send an Email
Send an email to secure@iconics.com. Please include details on the product, product version, configuration, and steps to reproduce if possible so that we can duplicate the issue being reported. We encourage the use of encryption using our public PGP key which can be downloaded here.
ICONICS values the members of the independent security research community who find security vulnerabilities and work with ICONICS so that security fixes can be issued to all customers. ICONICS’ policy is to credit all researchers in the ICONICS Whitepaper on Security Vulnerabilities when a fix for the reported security bug is issued. In order to receive credit, security researchers need to follow responsible disclosure practices, including:
- They do not publish the vulnerability prior to ICONICS releasing a fix for it
- They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code
In the case of vulnerabilities found in third-party software components used in ICONICS products, please also notify ICONICS as described above.
ICONICS' Response to Reported Vulnerabilities in Its Products
ICONICS receives private reports on potential security vulnerabilities via email and through its website where reporters can privately enter and submit information on the vulnerabilities. After receipt of a report of a vulnerability, ICONICS will triage the report and determine which products are affected and what the severity of the vulnerability is. ICONICS will provide feedback to the reporter of the vulnerability and work with them to address the issue.
In the event of a public report where there is no available fix, ICONICS will acknowledge the report by publishing an update to the ICONICS Whitepaper on Security Vulnerabilities. This information will include references to the public sources reporting the vulnerability. Whenever possible, it will include steps users can take to protect their ICONICS system from exploitation of the vulnerability.
A fix or a correction action may take one or more of the following forms:
- A new version release
- A new maintenance (Critical Fix Rollup) release for a prior released version
- A patch that can be installed on top of the affected ICONICS product
- Instructions to download and install an update or patch for a third-party software component that is part of the ICONICS product installation
- A corrective procedure or workaround that instructs users in adjusting the ICONICS product configuration to mitigate the vulnerability.
When a fix or corrective action for a vulnerability becomes available, ICONICS will notify its customers by the following means:
- The ICONICS Whitepaper on Security Vulnerabilities is updated and posted. It details the security vulnerability and provides a reference to the software updates, as appropriate, to address the vulnerability. The ICONICS Security Vulnerability Whitepaper is posted at https://iconics.com/cert.
- ICONICS will send an email to users who have registered to receive them when there has been an update to the ICONICS Whitepaper on Security Vulnerabilities.
- In the case of highly severe security vulnerabilities, ICONICS works with US-CERT on having an ICS-CERT advisory issued on such vulnerabilities at the time a fix or correction becomes available.