Q U A L I T Y
Security Incident Response Protocol
At Wibu-Systems, security is our first and foremost priority. We are acutely aware of the need to integrate the most stringent
quality and security standards into our products. While we strive for perfection, we also recognize that even the slightest of
irregularities, bugs, or misconfigurations can have serious consequences. It is for these rare occurrences that we have created
a Security Incident Response Team and a critical response protocol to address issues as swiftly and transparently as possible.
Following is a general overview of our Security
Incident Response Protocol:
Report
If a client or user of Wibu-Systems believes
that they have identified a critical bug, they
are encouraged to contact our support team
directly by email to [email protected] or by
logging into our Incident Management System
at https://support.wibu.com (a separate category
is included for ‘Security Incidents’). If this
category is selected, a response time of two
hours is applied in the system, irrespective of
the service level for the reporting client. This
approach ensures that the ticket is reviewed
by a qualified member of our support staff as
quickly as possible, who then checks whether
the input data is complete and actionable.
Scoring by CVSS
The ticket is then passed on to our dedicated
Security Incident Response Team, which
includes three security experts working in
our Corporate Technology unit. They have a
standardized process for assessing the reported
incident and preparing an initial scoring,
using the industry standard CVSS (Common
Vulnerability Scoring System). This means that
a score between 0.0 and 10.0 is calculated to
designate whether the incident implies minor
or high vulnerability. Additional information is
also recorded to help other security specialists
understand immediately what is at stake and
which corrective action needs to be taken for
the system(s) affected.
The scoring is reported back to and, if need be,
coordinated with the original user. As in all
scoring processes, feedback from all partici-
pants is considered.
the problem is typically resolved with an
ad-hoc bug-fix release or with the scheduled
next release of the software as part of the
regular development process. The Security
Incident Response Team along with the
relevant product and development managers
and key executives as needed are all involved
in the decision-making process.
This protocol guarantees that we are able to
respond as quickly as possible and deliver the
appropriate solutions for all of our clients and
users. We truly believe that an honest and
transparent response to security incidents like
this is always the right choice.
Action
If the check confirms that the reported incident
is a critical problem, special tags are set in
our software development tracking system.
Depending on the severity of the vulnerability,
13