RFC 2350 Information about the Security Team


1 Document Information
1.1 Date of Last Update

13. Mar 2020

1.2 Distribution List for Notifications

1.2.1 Advisories
Advisories will be published as part of the ProductNews newsletter (productnews@contact-software.com).
You may register for the newsletter here: https://www.contact-software.com/en/registration-product-newsletter/
The published advisories can be found at: https://kundenportal.contact-software.com/handout/produktsupport/security-advisory

1.3 Locations where this Document May Be Found

This document can be downloaded via HTTPS from the CONTACT Software GmbH homepage: https://www.contact-software.com/en/security


2 Contact information
2.1 Name of the Team

CONTACT Software Security Team

2.2 Address

Physical deliveries can be addressed to:

CONTACT Software GmbH
Security Team
Wiener Straße 1-3
28359 Bremen
GERMANY

2.3 Time Zone

The team operates in the timezone: Europe/Berlin Central European Time/Mitteleuropäische Zeit (CET/MEZ)
Usually accessible during typical business hours from Monday to Friday.

2.4 Telephone Number

The central office can be reached at: +49 421 20153-0
Ask to be put through to the security team.

2.5 Facsimile Number

Must not be used for security purposes, use email instead.

2.6 Other Telecommunication

None for security purposes.

2.7 Electronic Mail Address

security@contact-software.com

2.8 Public Keys and Encryption Information

The current public PGP can be fetched from the keyserver at https://keys.openpgp.org/ with the email address as listed in 2.7.
It is also listed here:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF5qRDUBEADBuzwiJYmiGtWx40kCoGqz300q77P6Wq3pxOGfQpiWu86EYYy1
N1iSYcoi05oyTFdgX3D0cnY4IwG65Uh6sjeDokyXCxO/7uLA9dIjL4iSZl4ciVOj
aEYShH/9xGBIbf87SLrzH6Ynj4LElHOujGwYNu7qCRnn1Rl/0+Xf5fL8dZWYMXX4
ibjVP+c38DqnNiif9h6QFap/Yg5WqDZI9SG5EwK9WqHWHYChCLgg3RZc6PXzfxEl
idqGS8HQRwUVcEnt7MZ+R/zy8uBsfn+CvN2OftmrXN14AiAiFBvGG9KXoikgdpxI
HB/4UE5o/WWpOmWEb4uZb2foPfPxfCVA8YsuEgx3JuBlX3RHJix/fTWfqCS2Cn+E
qGZjjUK30NCLXCLhDYW56PJCX0ZMDuBupBYsicDcQq6P57Wv7wvb0cqip9kgjeOU
VZaF1+uL8D37rP9X/3in6q7vjKL0A4n5jkdJo7+egfoRZ2lGPH3xvK7FRrJhVFuf
/NCevLlxo+VtBksFKnvgkemLobKgakK8RpqA50sJwc1YdSlQjGu1+xuTN7AiYC6I
NIUS7Tl2K5jlFmPB9ae3SIP7TLsJ6QqgbF1VUorIeNRbueVBTJIjpFCYvwcjukQ0
YiWfIxi5uLYgAFQHKF9O2sAFG5WanfeEwGAZCtqTzCF8B8uOl02RtCvZ2wARAQAB
tG9Qcm9kdWN0IFNlY3VyaXR5IFRlYW0sIENPTlRBQ1QgU29mdHdhcmUgR21iSCAo
c2VlIFJGQzIzNTAgRG9jdW1lbnQgb2YgdGhlIHRlYW0pIDxzZWN1cml0eUBjb250
YWN0LXNvZnR3YXJlLmNvbT6JAlQEEwEKAD4WIQQMbht+gu2ErGFc96VN587d30rB
2AUCXmpENQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBN587d
30rB2NDKEACUAq13Bb0oJ78V36Ub4lb0PkkYtIWmLWoIdTl9kQgGkzYb+Rr5XLxe
IlDabP3ChVOCWEDUvEkc4sEuTmJIOUfbGj248AEstT8MdxNFBCO/zB+ibbyo3eVF
vXFaucodKTtIyjt0pk12G+XCu3RsWG2Zn2TNxorxLb6EdrTCJUaSPGHTjZjQ36Ap
/vwl+FWpTRXKdq5W44CmwImkWAo42HShWVAw9NiCYTdG3+8vTd6r/tE/hbizO+vj
aTM4ds1a+Zw/4ZxXhRKFejSMqkk4ccyFPDzRkeHsx7rdmuBkIubIQJ7YZ4RLuiyl
Q4TyLbY+EFCC0ecS5up/sBscAgjrkBQ57wY3CpjTyfu0Jx/lyLn7bknMMloscSZX
FkidtkGPDChtrcMn/V8cdeNmnZ/bwwXoKA2N415wniyB92ChyMpldQ4TwRCDYCXw
a38A8PPqETHDT4Jw5fM3V6LLObcCIXZDGCR8hQ1FYG32hLIYxHXI8Y/mclFDr7Ae
i1YnVa/0yWVELHviQKAAFlOMVR3QeLhg1l/Qg8DBFai/Z8Q4wQZPBYE3w+woDNlD
v4KFodHmi8oYmVo7F53dhEqqz/Z/7anmwI/7UIrngUtkrCFUJJ3T8x95HgrAF4zN
4jVublupukTVUK428FGD3UKFZrvlosPinVr6A+lxSFLAbIZo7jF8QLkCDQReakQ1
ARAAuTufWtkkDsHVpq6IQbjRu88V7lVzYQ3SZT+jI8JINhyOHY2tfiWAjt+aq1G/
xn+3gmg1fw9DtQRRwvf14C40/yku/8ZUu2ED4/vbE1oMVmgXte5qEQjTgZOk9ZIW
HrT+Qo9SsvdFy3SrxqDU3/WdaZIzwg3VuuglHwtixH4mgva6G+J1OOzrLRmrrJVb
aR9VPsXw/HHRdw10DLhWsZJ6ORiTbBIFT0FwTqMTO4w1/mmJt1bxpr4hJfhSdbRY
8ZoM1GCot6oTvGsO7COnfwfH0F9a1f52HIsgzg34dVkre5yZmUjajTvvhIRSTg+l
I3U+fF3afVgE+VK2nHmda/o9A52OZ4z+FeCjCBUz0qPlniPKUcdOgJXLHgjG8L9/
hO9XIPWTwPW1y4lMizIIHzXvUVQT++BgCP+gnJPVmjBjXYkLbrwrDiH8yoNIyQP3
Og0fSk2o2wiZznmI2torf7N4RBq4nGm7jLVJMIK4s698J1BxGf5e11CkF02Q5kKw
8gywxManAs/6h8VUzDTmDKr4wc9ET9Tcot9fQao+QE2+7hSysIjlzk81b/JPEgQp
+d7rT9udbkWY/xbAtm6VKrgpZNkauVaA6TzG1Di7D2vMO8I/nnYXfMYh/TuiFKy5
DA/jFUM4WrxRRlRVdw3Q//nm3Cupp10R0ZtBWUMIIE1uTckAEQEAAYkCPAQYAQoA
JhYhBAxuG36C7YSsYVz3pU3nzt3fSsHYBQJeakQ1AhsMBQkDwmcAAAoJEE3nzt3f
SsHY+3QQAKTOEs2UPS88AoXu5pOSEXb796Pm4mXdsHYDETn97rX6/6q9TheS7YIL
+ucF1uLGaXVdU4abjtRXljzGHBTV+iU3v8hQf9xEvSw8Kz5cn4PxrgiznBYP9qLR
XVghObAmOsZQV3P/WqvVk04osl7vJbGQh5htCijPtUyflndYuyQ2JA8sf+rbRJf/
YfqWocfGJ2GjMPQ8W2vEV9mmnJTNCSBNYDtdWKGS2GCy79dhD+KrQDK+FEGR9PRI
Gy3DNFJbHnRynkZEzjqokuZYm38/t10T8/xWBsS34N5bxYcyL2dWUJY1riEwtgYc
Bc55fyYLmvCeABZN2fwHJ0eJ6FnDxBJXQ2dO/SHd2s1YqbilFCiW651GbiSLG7nY
d1PufJ4Ue3D0asUTiyV/6QxEXL82a5tTAv3CyBYH6v41kXwY60wToqBorOynbg+v
pYR11msOIJv/1IvmqEoHyWbr2fGrfs1CmhsuoIpRNKCj4OErkHCWIYhf7T4t7VL9
67WHYtO052Uppm6WccQOTa4gt9s3K8nTqanITSOlRfOvGPIdcR0zjWlcw5MyM4Y2
rA+H268WFDw+T9O+QOxRhcWyC8PBh2V3QrzGi0LRgd+MJuEAsgZ11oW8bcBwblyX
0PJJs47a/fWjkl07S92bgqb7C9mqysSPhRwEJd74rZROjGEeZcXBuQINBF5qRQEB
EAC9PnOzDMAQ+abDeSqWnzUyc2RVND4qvWkrnlMH4TFvLfNrQ2k95Qiz8LweQ8eT
undcAub2UFQVkGP7tHbjUUpN3sjF4kYvsixx8GnhQ3JMKYVnnACL4XN0oQjl4iyN
I/j6+2rEIaiH+lHRk5uHQ+en+1+bWyXgjKc3kjMd697su9DpdRe++AQZhIBXMjhH
dHKmQyW+ev7O7RfEw5pHTtHTn9/50aVATFAEp/ZSsbBYCZO2+TV1UjEwLzR2Xtwr
YJbauh5JEqEPEv9qQGuDXeXAwuztF3g5j2kPGdp6s3NHVMxufN49d/L6WWczuj7p
nRmuf57PH9rgLTvOB12TcvxPY8CUvYrZt9g+kmZCOHJxr7kAP5rZ3xuV+mTeTn1m
Sgvt4xDBcBPTutH0pxg2Mu8qv74ECk2zKWNAyHJ6guzf+zaXIv5GLNU/SR2HKJBv
r5tNSOB0oi5T6OX0iO75MJlCSJFD5TwKfYOCO3bGYbuuJgBQHFek1n4eUNxNA1eb
J0snoxxkAzHXYGkYPQMKdXAd5maz5TQUFZpv9qEbAodnMIXVLLQRn8adv+1nnMqv
CDaur7PpSTrwmtCpHOlgDtzdVKPAjQ+kv1Gs+33RCTcgPcBfENKDmQIOsvF+ns55
4DNFBeFPLDRxORxMkQcTBKbI0M7YDmtF8eAWlCmb778pvQARAQABiQI8BBgBCgAm
FiEEDG4bfoLthKxhXPelTefO3d9KwdgFAl5qRQECGyAFCQPCZwAACgkQTefO3d9K
wdh7NA//TIcHIfkupDUMwDVeT+4zer8F5pxuyXt7Rl2EVoRVyw6CoZDIcq0r7nKK
rgGWosluSCGJ8xfgJM0F69L/wY4YHw2YU9AjmoDiO5BLpjMrxcLTw09LECpcgiaI
PBHssoHygtLHkljaTCn7h07eeBqPnlnYu3xD9m1jZcPd4paPspebto7rrvH37jnx
rh+wkoj/zAKL4NDr5rsE1ndKlBwV6qsaxLKQ4eApkag53bjx+obzmUaXIA2MJ8ba
4RUS4eHZ9o+vLO4PEUBCpKcoL7J3zUIje2r4yyWanR5T1TJ4UPHTOzXh22AFOinT
RMJmRDdDC812+97o2X0n+Jc8JAI4RdVhZ9CwOx18FrzpVYpivd339WgYP+WsGNV8
r6Oc0Qeyd51ATVRKYfGgTBEl9I3R/Cwnlaw8fasJHvjGQoUn4YxA3RsXDe1qguLE
l2stY1GnAKVFBuz8od3+fwEsv9wB1Yd4AT04+DC/4lvhVny7Ko2m0m8gexI1HkOG
oDr954QSorhWH9qHrcwB+n6sXKa/8qWzgy/ceQttCVOhNjt352CGDYRWwEsV0sUr
+fP+HEgFA+KPTdThK7pSdeP9KH7mw6q3cRsOEpjy5s4GdVPmiT5tskCWCF5tm45T
Nc8zFARhOtSQ1NADfGnGa9GhfhnEU0RDbe7hHIwIZlBuQ7rB9d8=
=mpUw
-----END PGP PUBLIC KEY BLOCK-----
2.9 Team Members

No public information about team members is disclosed.

2.10 Points of Customer Contact

The preferred method for contacting the security team is via e-mail at <security@contact-software.com>. If it is not possible (or not advisable for security reasons) to use e-mail, the security team can be reached by telephone during regular office hours. The security teams' hours of operation are generally restricted to regular business hours (09:00am – 05:00pm, Monday to Friday except holidays).


3 Charter
3.1 Mission Statement

The purpose of the security team is, first, to help improve the  security of the products made by CONTACT Software GmbH, and second to assist customers and partners in responding to incidents or vulnerabilities related to CONTACT Software GmbH products.

3.2 Constituency

The security team provides its services to the following groups. The amount of services varies by group and may be subject to support contracts.

  • Employees (especially development and support related) at CONTACT Software
  • Customers using CONTACT Software products
  • Partners of CONTACT Software

Topics relating to general operations, the web site or other security related topics relating to CONTACT Software GmbH may be handled on case by case judgement. Usually those will be forwarded to the responsible persons and not handled by the security team itself.

3.3 Sponsorship and/or Affiliation

The security team is affiliated to the software development (SD) department of CONTACT Software GmbH.

3.4 Authority

The security team has authority over the software development and release process at CONTACT Software GmbH.
It has NO authority over the deployed systems at customer sites and can only act in advising mode for those. It has also NO authority over the products based on CONTACT Software GmbH products but distributed and marketed by partners. It also has NO direct authority over the website or most other operational services used by CONTACT Software GmbH.


4 Policies
4.1 Types of Incidents and Level of Support

The focus of the security team on the product part instead of the operation of a deployed system reflects in the types of incidents handled and the support provided.
The security team will provide support for the following incidents and topics. The amount of support varies by topic and involved parties and may be subject to support contracts.

  • Handle reporting of vulnerabilities in CONTACT Software GmbH products
  • Handle the disclosure process for vulnerabilities and patches
  • Provide consulting support for teams inside CONTACT Software GmbH
  • Provide tools and documentation about security topics
  • Provide advice or assistance to customers CSIRT teams when resolving incidents related or involving CONTACT Software GmbH products
  • Provide limited consulting support for customers regarding secure deployment or operations practices of CONTACT Software GmbH products
  • Provide consulting support for partners for security topics related to CONTACT Software GmbH products
4.2 Co-operation, Interaction and Disclosure of Information

CONTACT Software GmbH Security Team regards cooperation and information sharing with other CERT/CSIRTs. Information is only passed depending on its classification and need-to-know basis unless we are required to by law. CONTACT Software GmbH Security Team supports responsible disclosure methodology (see OWASP Vulnerability Disclosure Cheat Sheet) with a usual timeframe of 30 days for security patches which might be extended to 90 days if needed.

4.3 Communication and Authentication

When using email communication via the security@contact-software.com mailing address, the messages will be signed with the security teams pgp key as listed in section 2.8. The current key may be retrieved from the keyservers at https://keys.openpgp.org/. All sensitive communication to CONTACT Software GmbH Security Team should be encrypted with our public PGP key. Senders should sign their messages if possible.


5 Services
5.1 Incident Response

All incidents related to **products** of CONTACT Software GmbH will be evaluated. Incidents related to CONTACT Software GmbH services/other topics will be forwarded to the responsible business units. Senders are encouraged to use typical points of contact (if known) for those interactions as CONTACT Software Security Team is only a fallback for operational concerns. If necessary in-depth analysis is provided by technical experts.

5.1.1 Incident Triage

  • Incoming incident reports are evaluated, priorized and compared to ongoing incidents.
  • Incidents are:
    – checked whether they are comprehensible using given information
    – classified with a severity and scope

5.1.2 Incident Coordination

  • Incident related information objects (e.g. logfiles, ...) will be classified with respect to information disclosure policy.
  • All other involved internal and external parties will be notified on a need-to-know basis respecting our information disclosure policy unless we are required to by law.

5.1.3 Incident Resolution

  • The cause of the incident will be determined and its effects will be mitigated.
  • Possibly analysis of compromised systems.
5.2  Proactive Activities
  • Security Trainings for CONTACT Employees
  • Security Reviews in the secure (product) development lifecycle (SDL)
  • Secure Deployment Guides / Best practise guides
  • Development of security configuration tools
  • Introduction of new security requirements into product roadmap
  • Publication of Security Advisories
  • In-House Penetration testing & investigation of penetration testing results of customers
  • Continuous Integration / Continuous Deployment with static code analysis
  • Post-Mortem analysis to learn from the past

6 Incident Reporting Forms

No special incident reporting form is necessary. Please use the email address listed in section 2.7. Please include the following information with your reports.

  • Contact Details
  • name of person
  • name and address of organization
  • email address, telephone number, pgp key information if available
  • Short summary of the incident
  • Systems affected:
    – Product Names and Versions involved
    – Additional information
    – Details of observations that led to discovery (i.e. logfiles, screenshots, etc.)

If possible please sign your message with your PGP private key, to establish a secure communications channel.


7 Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CONTACT Software GmbH assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.

 

We are here to help!
Talk with our team:


Locations