UK-PSTI-Vulnerability Disclosure Policy

Ember is fully dedicated to delivering products and services that are safe and secure. If vulnerabilities are discovered, we approach them with a strong sense of urgency and resolve them promptly. Our policy for receiving reports related to potential security vulnerabilities in our products and services, as well as our process for informing customers of verified vulnerabilities, is designed to be efficient and effective. You can trust that we are committed to delivering the highest level of security for our products and services.

When to contact the Product Security Incident Response Team (PSIRT)

If you have identified a potential security vulnerability with one of Ember's products, please contact the Ember Product Security Incident Response Team (EPSIRT) by sending an email to EPSIRT@ember.com. Once your incident report is received, the appropriate personnel will get in touch with you to follow up and address the issue. It is always helpful to report any security concerns you may have to ensure the safety and security of our products.

Please note that the EPSIRT@ember.com email address should only be used for reporting product or service security vulnerabilities related to our products or services. If you require technical support regarding our products or services, please visit www.ember.com/support for further assistance.

Ember strives to acknowledge receipt of all submitted reports within two business days.

Security Advisories

Our top priority is the security of our products and services. To keep you informed, we post all relevant security advisories on our dedicated security website (https://uk.ember.com/productsecurityadvisories). We strive to provide a practical solution, workaround, or fix for any security vulnerability we identify. In some cases, we may issue a notice even if a workaround is not available, especially if the vulnerability has become widely known to the security community. You can feel confident that we are committed to ensuring the safety of our products and services.

When Ember is notified by a third party of a potential vulnerability found in our products, we take immediate action and thoroughly investigate the finding. We are committed to ensuring the safety and security of our products, and we do not hesitate to publish a coordinated disclosure along with the third party if necessary. In cases where we receive information about a security vulnerability from a supplier under a confidentiality or non-disclosure agreement or under embargo, we work closely with the supplier to request that a security fix is released. Although we may not be able to disclose all the details about the security vulnerability, we are confident in our ability to address the issue and provide a secure product to our customers.

While Ember understands the importance of security advisories, it has chosen not to publish any related to open-source vulnerabilities at this time.

Release Notes (readme or change history)

We would like to inform you that the Release Notes contain important information about security updates that reference either the CVE or the internal LEN tracking number. Both of these references are included in our published security advisories as applicable. In order to ensure the utmost security for our customers, Ember may choose to release the remediation before the security advisory, if necessary. Once the advisory has been published, information about the vulnerability can be found by referencing the LEN tracking number from the release notes. We appreciate your attention to this matter and want to assure you that we are committed to providing the best possible security for our customers.

Severity

Ember follows the widely accepted industry standards to evaluate and categorize vulnerabilities based on their potential impact as High, Medium or Low. The approach is aligned with the Common Vulnerability Scoring System (CVSS), which offers an open and collaborative framework to communicate the characteristics and impacts of IT vulnerabilities. By adopting a common language of scoring IT vulnerabilities, CVSS aims to provide benefits to IT managers, vulnerability bulletin providers, security vendors, application vendors, and researchers.

Impact

Ember is committed to ensuring that our customers have the most up-to-date information on security advisories. Our advisories provide a comprehensive list of Ember products with their current status, whether Affected, Not Affected or Researching. If a product is affected, we will offer a link to the appropriate fix on the Ember Support site. Alternatively, we may suggest a workaround or provide a target date for a remediation. We understand that some vulnerabilities may be limited to a specific set of products, in which case only the affected products will be listed. There may be cases where we must publish a security advisory before completing an impact assessment across all products, and in such cases, we will list the status as Researching. We encourage our customers to visit the security advisory site frequently to stay informed on the latest status and to take appropriate action as necessary.

References

In the event that supplementary information is obtainable regarding the vulnerability, the advisory will provide links to relevant references, which may encompass citations to the CVE, blog, or article.

Acknowledgment

Acknowledging the researcher or finder of a vulnerability and providing them with credit, with their permission, is a best practice that we strive to follow. We believe that recognizing their contributions helps promote a culture of security and encourages others to report vulnerabilities. We are committed to treating all individuals who report vulnerabilities with respect and fairness, and we appreciate their efforts to improve our security measures.

Revision History

When alterations are made to an advisory, the revision history will display the updates made and their timeframe. We endeavor to resolve vulnerabilities in our supported products as promptly as possible. However, we cannot guarantee a specific level of response for any particular issue or category of issues due to factors such as the complexity of fixing, quality testing, embargoes, and coordination with other vendors.