Vulnerability Response

Cloud Software Group is committed to keeping its products and customers secure. Cloud Software Group strives to follow industry standards during all phases of the Secure Development Lifecycle (SDLC). As part of its SDLC program, Cloud Software Group has a robust Security Response Process that accepts vulnerability reports against Cloud Software Group products and services from external sources – customers and researchers alike.

The Cloud Software Group Security Response Team is a dedicated team that is responsible for managing the receipt, verification, and public reporting of information about security vulnerabilities in Cloud Software Group products.

In line with its commitment to adhere to international standard ISO/IEC 29147:2018, all issues reported to Cloud Software Group follow our vulnerability response process:

  1. Receipt: Upon receiving a vulnerability report, Cloud Software Group will generate a unique case identifier and acknowledge receipt by the end of the next working day.
  2. Triage: Cloud Software Group will investigate vulnerabilities in Cloud Software Group products and services from the date of release until End of Life. The investigation and verification of issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Throughout the investigative process, Cloud Software Group will work with the reporter to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results are delivered to the reporter along with a plan for resolution and public disclosure, if applicable.
  3. Variant analysis: Cloud Software Group will perform an in-depth analysis to ensure that similar issues are identified and that any action taken will ultimately address the whole class of issues.
  4. Resolution: The Cloud Software Group Security Response team will work with Cloud Software Group internal product development teams to address the issue. Timescales for releasing a fix vary according to complexity and severity. Cloud Software Group will provide updates to the researcher as and when progress is made with the vulnerability handling process related to the reported vulnerability.
  5. Release: When a mitigation or software update is released, Cloud Software Group will provide remediation or mitigation information to users, typically in the form of a security bulletin and software patches or updates. If, during the vulnerability handling process, Cloud Software Group identifies a vulnerability in a third-party product or service, we will endeavor to responsibly disclose this issue and coordinate our public releases.
  6. Post release: Cloud Software Group will monitor user feedback and, if necessary, update remediation and mitigation information accordingly.

How to Report Vulnerabilities?

Our PSIRT accepts vulnerability reports concerning our products through various channels.

Report Product Security Vulnerability

To submit a vulnerability report, please contact the Product Security Incident Response Team (PSIRT) via email at:secure@cloud.com

For secure transmission of information, you may utilize the Cloud Software Group Public PGP Key.

Bug Bounty Program

Security vulnerabilities will be accepted through our active Bug Bounty Program, Cloud Software Group Bug Bounty Program

To stay informed about security vulnerabilities, update your support notifications to receive future security bulletins by email.

We also recommend that our Citrix customers regularly review and update their organization's security contacts in their Citrix account (www.citrix.com/account)

For an overview of the security work and processes that are performed on the Cloud Software Group product line, consult the Cloud Software Group Secure Development Lifecycle document.