top of page

Vulnerability Disclosure Policy

Introduction

GONEO Group Co., Ltd. (hereinafter referred to as "GONEO") is committed to the safety and security of our products. If a vulnerability is discovered, we work to resolve it and publish updates. This document describes the process to submit reports to GONEO regarding potential security vulnerabilities in our products, and our practices for informing customers and other affected entities of verified vulnerabilities.

 

Vulnerability Handling Process

To clarify the basic position and proposition of GONEO on vulnerability management, GONEO adheres to the following most basic principles for the response and disclosure process of vulnerability management:

 

 

Preliminary investigation: attempts to identify potential vulnerabilities.

 

Root cause analysis: attempts to determine the root cause of the vulnerability.

 

Further investigation: attempts to find other instances of the same type of vulnerability in a product or service.

 

Prioritization: For each affected product or online service, there may be different severities of the same basic issue.

 

Possible situations of handling vulnerabilities: Non-reproducible vulnerability. Known Repeat Bug - the issue is a repeat vulnerability that has been resolved or fixed through this process. Obsolete Product Error - the vulnerability exists in a product that is no longer supported. Non-Security Error - the issue is a bug that has no security implications or is not currently exploitable by known techniques. Third Party Error - The vulnerability is caused by third party code, configuration, or exists in a specification that is not directly responsible for it.

 

Develop vulnerability remediation strategies: Solution decisions: determine ways to fully address the vulnerability, reduce the impact of the exploited vulnerability, or reduce exposure. Generate fix patches: generate patches, fixes, upgrades or documentation or configuration changes to address the vulnerability.

 

Test remediation strategies (patches): Develop and execute appropriate tests to ensure that vulnerabilities are addressed on all supported platforms.

 

Issue vulnerability fixes: Online service vulnerability solutions: follow the organization’s production system update deployment or configuration change process.

 

Product vulnerability solutions: For affected users who must take certain steps to protect themselves from vulnerabilities in their products (e.g., install patches).

 

Case maintenance: Further updates to the solution may continue after the solution has been released.

 

Secure development lifecycle feedback: se information obtained during root cause analysis to update the development lifecycle to prevent similar vulnerabilities from occurring in new or updated products or service.

 

Monitoring: For online service vulnerabilities, the stability of the product or service is monitored after remediation has been applied. Post-patch release monitoring for development can help focus communications to the majority of affected users.

 

Contact GONEO about a potential vulnerability

Contact GONEO by sending an email to bess@goneohome.com if you have identified a potential security vulnerability in one of our products. Your report will be reviewed, and appropriate personnel will contact you to follow up if required. We will strive to acknowledge receipt of your report within 2 business days and to provide a preliminary response within 7 business days.

Please do not include any data in your report that could violate the privacy of any user without first obtaining informed consent from such user and making arrangements to properly encrypt and safeguard that information before submitting it to GONEO. GONEO disclaims any liability for such personal information submitted to GONEO without GONEO’s request or consent.

 

Security Advisories

If there are security advisories related to our products, such advisories will be posted on the "Company News" page under the heading of "Information" in our website https://www.goneohome.eu/  For example: https://www.goneohome.eu/blog.

Generally, we will issue an advisory when practical workaround or fix has been issued for a particular

vulnerability.

In cases where a third party, such as a security researcher, notifies us of a potential vulnerability, we will investigate and may publish a coordinated disclosure along with such third party. If we receive a report under a confidentiality agreement, we will still work to release a security fix but may only be able to provide limited information about the vulnerability.

GONEO strives to address vulnerabilities and other issues within the time of 90 days after such vulnerabilities or issues are reported. We may request additional time to address an issue when appropriate, usually in cases where third parties are impacted and a coordinated response is required.

 

Severity and Impact

GONEO follows industry-standard practices in measuring and reporting vulnerabilities’ potential impact, following the current version of the Common Vulnerability Scoring System (CVSS). Details about the CVSS system can be found here.

Our advisories typically document a list of known GONEO products affected by the vulnerability, as well as the appropriate path for obtaining a fix or workaround. In most cases, this will be through an ecosystem update mechanism such as Windows Update.

When possible, we will list all affected versions of the product. Our suggestions may refer to "the version released before a specific date" or "the version released within a specific time period". If you need more detailed information, you can contact bess@goneohome.com.

 

Acknowledgement

When applicable, and with permission, GONEO will acknowledge the researcher or finder of the vulnerability and thank them for their efforts in improving our products.

bottom of page