NetX routinely runs third-party vulnerability scans on our software products and SaaS infrastructure. On occasion, customers may run their own scans and provide those reports to us. This document describes how we respond to those reports.
NetX welcomes customer security scans; however, If you want to scan the NetX SaaS platform, please inform NetX Support or your Account Manager before doing so.
Depending on the vendor, NetX will investigate security scans that list vulnerabilities at a level of Medium or above. We reserve the right not to respond, especially if we determine the report is in error. If you have a scan you’d like to share with NetX, please open a ticket with NetX Support, providing the entire report, any additional or pertinent details, and specific concerns.
NetX welcomes scans of on-premise installations of NetX. However, it is important to note that vulnerability reports can vary based on the hosting environment — the operating system, proxy server, database, network security, and peripheral systems that may be installed alongside NetX. As such, reports from on-premise installations may include more vulnerabilities than our SaaS deployments because certain components do not match what we use or recommend.
Based on the CVSS v3.0 Ratings (https://nvd.nist.gov/vuln-metrics/cvss) we take High and Critical-level vulnerabilities very seriously. If you run a scan that reports various vulnerabilities, please determine which of the vulnerabilities are actually:
- Distributed with the NetX installation or upgrade package.
- Versions or software listed or recommended by NetX in our Knowledge Base.
If these criteria are met, please open a NetX Support ticket and provide us with the entire report, identifying which specific vulnerability in the report you are concerned about. In the case where there are multiple vulnerabilities that meet both of the criteria above, please open a separate ticket for each vulnerability (often, each vulnerability will have its own resolution). If these two criteria are not met, then NetX Support likely can’t respond.
NetX is committed to identifying and quickly resolving any and all vulnerabilities in our software and SaaS platform. In most cases, we can immediately resolve critical vulnerabilities and have a track record of doing so. In other cases, especially with vulnerabilities identified in on-premise environments, NetX will address those issues as quickly as possible, and/or will attempt to provide workarounds as they are available. In extreme cases, NetX may provide a workaround that temporarily disables a function of the software to mitigate the vulnerability until such time that we can support a new version of that component with the vulnerability resolved.