RFC 2350 Information about the Security Team
1 Document Information
1.1 Date of Last Update
13. Mar 2020
1.2 Distribution List for Notifications
1.2.1 Advisories
Advisories will be published as part of the ProductNews newsletter (productnews@contact-software.com).
You may register for the newsletter here: https://www.contact-software.com/en/registration-product-newsletter/
The published advisories can be found at: https://kundenportal.contact-software.com/handout/produktsupport/security-advisory
1.3 Locations where this Document May Be Found
This document can be downloaded via HTTPS from the CONTACT Software GmbH homepage: https://www.contact-software.com/en/security
2 Contact information
2.1 Name of the Team
CONTACT Software Security Team
2.2 Address
Physical deliveries can be addressed to:
CONTACT Software GmbH
Security Team
Wiener Straße 1-3
28359 Bremen
GERMANY
2.3 Time Zone
The team operates in the timezone: Europe/Berlin Central European Time/Mitteleuropäische Zeit (CET/MEZ)
Usually accessible during typical business hours from Monday to Friday.
2.4 Telephone Number
The central office can be reached at: +49 421 20153-0
Ask to be put through to the security team.
2.5 Facsimile Number
Must not be used for security purposes, use email instead.
2.6 Other Telecommunication
None for security purposes.
2.7 Electronic Mail Address
security@contact-software.com
2.8 Public Keys and Encryption Information
The current public PGP can be fetched from the keyserver at https://keys.openpgp.org/ with the email address as listed in 2.7.
It is also listed here:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF5qRDUBEADBuzwiJYmiGtWx40kCoGqz300q77P6Wq3pxOGfQpiWu86EYYy1 N1iSYcoi05oyTFdgX3D0cnY4IwG65Uh6sjeDokyXCxO/7uLA9dIjL4iSZl4ciVOj aEYShH/9xGBIbf87SLrzH6Ynj4LElHOujGwYNu7qCRnn1Rl/0+Xf5fL8dZWYMXX4 ibjVP+c38DqnNiif9h6QFap/Yg5WqDZI9SG5EwK9WqHWHYChCLgg3RZc6PXzfxEl idqGS8HQRwUVcEnt7MZ+R/zy8uBsfn+CvN2OftmrXN14AiAiFBvGG9KXoikgdpxI HB/4UE5o/WWpOmWEb4uZb2foPfPxfCVA8YsuEgx3JuBlX3RHJix/fTWfqCS2Cn+E qGZjjUK30NCLXCLhDYW56PJCX0ZMDuBupBYsicDcQq6P57Wv7wvb0cqip9kgjeOU VZaF1+uL8D37rP9X/3in6q7vjKL0A4n5jkdJo7+egfoRZ2lGPH3xvK7FRrJhVFuf /NCevLlxo+VtBksFKnvgkemLobKgakK8RpqA50sJwc1YdSlQjGu1+xuTN7AiYC6I NIUS7Tl2K5jlFmPB9ae3SIP7TLsJ6QqgbF1VUorIeNRbueVBTJIjpFCYvwcjukQ0 YiWfIxi5uLYgAFQHKF9O2sAFG5WanfeEwGAZCtqTzCF8B8uOl02RtCvZ2wARAQAB tG9Qcm9kdWN0IFNlY3VyaXR5IFRlYW0sIENPTlRBQ1QgU29mdHdhcmUgR21iSCAo c2VlIFJGQzIzNTAgRG9jdW1lbnQgb2YgdGhlIHRlYW0pIDxzZWN1cml0eUBjb250 YWN0LXNvZnR3YXJlLmNvbT6JAlQEEwEKAD4WIQQMbht+gu2ErGFc96VN587d30rB 2AUCXmpENQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBN587d 30rB2NDKEACUAq13Bb0oJ78V36Ub4lb0PkkYtIWmLWoIdTl9kQgGkzYb+Rr5XLxe IlDabP3ChVOCWEDUvEkc4sEuTmJIOUfbGj248AEstT8MdxNFBCO/zB+ibbyo3eVF vXFaucodKTtIyjt0pk12G+XCu3RsWG2Zn2TNxorxLb6EdrTCJUaSPGHTjZjQ36Ap /vwl+FWpTRXKdq5W44CmwImkWAo42HShWVAw9NiCYTdG3+8vTd6r/tE/hbizO+vj aTM4ds1a+Zw/4ZxXhRKFejSMqkk4ccyFPDzRkeHsx7rdmuBkIubIQJ7YZ4RLuiyl Q4TyLbY+EFCC0ecS5up/sBscAgjrkBQ57wY3CpjTyfu0Jx/lyLn7bknMMloscSZX FkidtkGPDChtrcMn/V8cdeNmnZ/bwwXoKA2N415wniyB92ChyMpldQ4TwRCDYCXw a38A8PPqETHDT4Jw5fM3V6LLObcCIXZDGCR8hQ1FYG32hLIYxHXI8Y/mclFDr7Ae i1YnVa/0yWVELHviQKAAFlOMVR3QeLhg1l/Qg8DBFai/Z8Q4wQZPBYE3w+woDNlD v4KFodHmi8oYmVo7F53dhEqqz/Z/7anmwI/7UIrngUtkrCFUJJ3T8x95HgrAF4zN 4jVublupukTVUK428FGD3UKFZrvlosPinVr6A+lxSFLAbIZo7jF8QLkCDQReakQ1 ARAAuTufWtkkDsHVpq6IQbjRu88V7lVzYQ3SZT+jI8JINhyOHY2tfiWAjt+aq1G/ xn+3gmg1fw9DtQRRwvf14C40/yku/8ZUu2ED4/vbE1oMVmgXte5qEQjTgZOk9ZIW HrT+Qo9SsvdFy3SrxqDU3/WdaZIzwg3VuuglHwtixH4mgva6G+J1OOzrLRmrrJVb aR9VPsXw/HHRdw10DLhWsZJ6ORiTbBIFT0FwTqMTO4w1/mmJt1bxpr4hJfhSdbRY 8ZoM1GCot6oTvGsO7COnfwfH0F9a1f52HIsgzg34dVkre5yZmUjajTvvhIRSTg+l I3U+fF3afVgE+VK2nHmda/o9A52OZ4z+FeCjCBUz0qPlniPKUcdOgJXLHgjG8L9/ hO9XIPWTwPW1y4lMizIIHzXvUVQT++BgCP+gnJPVmjBjXYkLbrwrDiH8yoNIyQP3 Og0fSk2o2wiZznmI2torf7N4RBq4nGm7jLVJMIK4s698J1BxGf5e11CkF02Q5kKw 8gywxManAs/6h8VUzDTmDKr4wc9ET9Tcot9fQao+QE2+7hSysIjlzk81b/JPEgQp +d7rT9udbkWY/xbAtm6VKrgpZNkauVaA6TzG1Di7D2vMO8I/nnYXfMYh/TuiFKy5 DA/jFUM4WrxRRlRVdw3Q//nm3Cupp10R0ZtBWUMIIE1uTckAEQEAAYkCPAQYAQoA JhYhBAxuG36C7YSsYVz3pU3nzt3fSsHYBQJeakQ1AhsMBQkDwmcAAAoJEE3nzt3f SsHY+3QQAKTOEs2UPS88AoXu5pOSEXb796Pm4mXdsHYDETn97rX6/6q9TheS7YIL +ucF1uLGaXVdU4abjtRXljzGHBTV+iU3v8hQf9xEvSw8Kz5cn4PxrgiznBYP9qLR XVghObAmOsZQV3P/WqvVk04osl7vJbGQh5htCijPtUyflndYuyQ2JA8sf+rbRJf/ YfqWocfGJ2GjMPQ8W2vEV9mmnJTNCSBNYDtdWKGS2GCy79dhD+KrQDK+FEGR9PRI Gy3DNFJbHnRynkZEzjqokuZYm38/t10T8/xWBsS34N5bxYcyL2dWUJY1riEwtgYc Bc55fyYLmvCeABZN2fwHJ0eJ6FnDxBJXQ2dO/SHd2s1YqbilFCiW651GbiSLG7nY d1PufJ4Ue3D0asUTiyV/6QxEXL82a5tTAv3CyBYH6v41kXwY60wToqBorOynbg+v pYR11msOIJv/1IvmqEoHyWbr2fGrfs1CmhsuoIpRNKCj4OErkHCWIYhf7T4t7VL9 67WHYtO052Uppm6WccQOTa4gt9s3K8nTqanITSOlRfOvGPIdcR0zjWlcw5MyM4Y2 rA+H268WFDw+T9O+QOxRhcWyC8PBh2V3QrzGi0LRgd+MJuEAsgZ11oW8bcBwblyX 0PJJs47a/fWjkl07S92bgqb7C9mqysSPhRwEJd74rZROjGEeZcXBuQINBF5qRQEB EAC9PnOzDMAQ+abDeSqWnzUyc2RVND4qvWkrnlMH4TFvLfNrQ2k95Qiz8LweQ8eT undcAub2UFQVkGP7tHbjUUpN3sjF4kYvsixx8GnhQ3JMKYVnnACL4XN0oQjl4iyN I/j6+2rEIaiH+lHRk5uHQ+en+1+bWyXgjKc3kjMd697su9DpdRe++AQZhIBXMjhH dHKmQyW+ev7O7RfEw5pHTtHTn9/50aVATFAEp/ZSsbBYCZO2+TV1UjEwLzR2Xtwr YJbauh5JEqEPEv9qQGuDXeXAwuztF3g5j2kPGdp6s3NHVMxufN49d/L6WWczuj7p nRmuf57PH9rgLTvOB12TcvxPY8CUvYrZt9g+kmZCOHJxr7kAP5rZ3xuV+mTeTn1m Sgvt4xDBcBPTutH0pxg2Mu8qv74ECk2zKWNAyHJ6guzf+zaXIv5GLNU/SR2HKJBv r5tNSOB0oi5T6OX0iO75MJlCSJFD5TwKfYOCO3bGYbuuJgBQHFek1n4eUNxNA1eb J0snoxxkAzHXYGkYPQMKdXAd5maz5TQUFZpv9qEbAodnMIXVLLQRn8adv+1nnMqv CDaur7PpSTrwmtCpHOlgDtzdVKPAjQ+kv1Gs+33RCTcgPcBfENKDmQIOsvF+ns55 4DNFBeFPLDRxORxMkQcTBKbI0M7YDmtF8eAWlCmb778pvQARAQABiQI8BBgBCgAm FiEEDG4bfoLthKxhXPelTefO3d9KwdgFAl5qRQECGyAFCQPCZwAACgkQTefO3d9K wdh7NA//TIcHIfkupDUMwDVeT+4zer8F5pxuyXt7Rl2EVoRVyw6CoZDIcq0r7nKK rgGWosluSCGJ8xfgJM0F69L/wY4YHw2YU9AjmoDiO5BLpjMrxcLTw09LECpcgiaI PBHssoHygtLHkljaTCn7h07eeBqPnlnYu3xD9m1jZcPd4paPspebto7rrvH37jnx rh+wkoj/zAKL4NDr5rsE1ndKlBwV6qsaxLKQ4eApkag53bjx+obzmUaXIA2MJ8ba 4RUS4eHZ9o+vLO4PEUBCpKcoL7J3zUIje2r4yyWanR5T1TJ4UPHTOzXh22AFOinT RMJmRDdDC812+97o2X0n+Jc8JAI4RdVhZ9CwOx18FrzpVYpivd339WgYP+WsGNV8 r6Oc0Qeyd51ATVRKYfGgTBEl9I3R/Cwnlaw8fasJHvjGQoUn4YxA3RsXDe1qguLE l2stY1GnAKVFBuz8od3+fwEsv9wB1Yd4AT04+DC/4lvhVny7Ko2m0m8gexI1HkOG oDr954QSorhWH9qHrcwB+n6sXKa/8qWzgy/ceQttCVOhNjt352CGDYRWwEsV0sUr +fP+HEgFA+KPTdThK7pSdeP9KH7mw6q3cRsOEpjy5s4GdVPmiT5tskCWCF5tm45T Nc8zFARhOtSQ1NADfGnGa9GhfhnEU0RDbe7hHIwIZlBuQ7rB9d8= =mpUw -----END PGP PUBLIC KEY BLOCK-----
2.9 Team Members
No public information about team members is disclosed.
2.10 Points of Customer Contact
The preferred method for contacting the security team is via e-mail at <security@contact-software.com>. If it is not possible (or not advisable for security reasons) to use e-mail, the security team can be reached by telephone during regular office hours. The security teams' hours of operation are generally restricted to regular business hours (09:00am – 05:00pm, Monday to Friday except holidays).
3 Charter
3.1 Mission Statement
The purpose of the security team is, first, to help improve the security of the products made by CONTACT Software GmbH, and second to assist customers and partners in responding to incidents or vulnerabilities related to CONTACT Software GmbH products.
3.2 Constituency
The security team provides its services to the following groups. The amount of services varies by group and may be subject to support contracts.
- Employees (especially development and support related) at CONTACT Software
- Customers using CONTACT Software products
- Partners of CONTACT Software
Topics relating to general operations, the web site or other security related topics relating to CONTACT Software GmbH may be handled on case by case judgement. Usually those will be forwarded to the responsible persons and not handled by the security team itself.
3.3 Sponsorship and/or Affiliation
The security team is affiliated to the software development (SD) department of CONTACT Software GmbH.
3.4 Authority
The security team has authority over the software development and release process at CONTACT Software GmbH.
It has NO authority over the deployed systems at customer sites and can only act in advising mode for those. It has also NO authority over the products based on CONTACT Software GmbH products but distributed and marketed by partners. It also has NO direct authority over the website or most other operational services used by CONTACT Software GmbH.
4 Policies
4.1 Types of Incidents and Level of Support
The focus of the security team on the product part instead of the operation of a deployed system reflects in the types of incidents handled and the support provided.
The security team will provide support for the following incidents and topics. The amount of support varies by topic and involved parties and may be subject to support contracts.
- Handle reporting of vulnerabilities in CONTACT Software GmbH products
- Handle the disclosure process for vulnerabilities and patches
- Provide consulting support for teams inside CONTACT Software GmbH
- Provide tools and documentation about security topics
- Provide advice or assistance to customers CSIRT teams when resolving incidents related or involving CONTACT Software GmbH products
- Provide limited consulting support for customers regarding secure deployment or operations practices of CONTACT Software GmbH products
- Provide consulting support for partners for security topics related to CONTACT Software GmbH products
4.2 Co-operation, Interaction and Disclosure of Information
CONTACT Software GmbH Security Team regards cooperation and information sharing with other CERT/CSIRTs. Information is only passed depending on its classification and need-to-know basis unless we are required to by law. CONTACT Software GmbH Security Team supports responsible disclosure methodology (see OWASP Vulnerability Disclosure Cheat Sheet) with a usual timeframe of 30 days for security patches which might be extended to 90 days if needed.
4.3 Communication and Authentication
When using email communication via the security@contact-software.com mailing address, the messages will be signed with the security teams pgp key as listed in section 2.8. The current key may be retrieved from the keyservers at https://keys.openpgp.org/. All sensitive communication to CONTACT Software GmbH Security Team should be encrypted with our public PGP key. Senders should sign their messages if possible.
5 Services
5.1 Incident Response
All incidents related to **products** of CONTACT Software GmbH will be evaluated. Incidents related to CONTACT Software GmbH services/other topics will be forwarded to the responsible business units. Senders are encouraged to use typical points of contact (if known) for those interactions as CONTACT Software Security Team is only a fallback for operational concerns. If necessary in-depth analysis is provided by technical experts.
5.1.1 Incident Triage
- Incoming incident reports are evaluated, priorized and compared to ongoing incidents.
- Incidents are:
– checked whether they are comprehensible using given information
– classified with a severity and scope
5.1.2 Incident Coordination
- Incident related information objects (e.g. logfiles, ...) will be classified with respect to information disclosure policy.
- All other involved internal and external parties will be notified on a need-to-know basis respecting our information disclosure policy unless we are required to by law.
5.1.3 Incident Resolution
- The cause of the incident will be determined and its effects will be mitigated.
- Possibly analysis of compromised systems.
5.2 Proactive Activities
- Security Trainings for CONTACT Employees
- Security Reviews in the secure (product) development lifecycle (SDL)
- Secure Deployment Guides / Best practise guides
- Development of security configuration tools
- Introduction of new security requirements into product roadmap
- Publication of Security Advisories
- In-House Penetration testing & investigation of penetration testing results of customers
- Continuous Integration / Continuous Deployment with static code analysis
- Post-Mortem analysis to learn from the past
6 Incident Reporting Forms
No special incident reporting form is necessary. Please use the email address listed in section 2.7. Please include the following information with your reports.
- Contact Details
- name of person
- name and address of organization
- email address, telephone number, pgp key information if available
- Short summary of the incident
- Systems affected:
– Product Names and Versions involved
– Additional information
– Details of observations that led to discovery (i.e. logfiles, screenshots, etc.)
If possible please sign your message with your PGP private key, to establish a secure communications channel.
7 Disclaimers
While every precaution will be taken in the preparation of information, notifications and alerts, CONTACT Software GmbH assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.