ATOSS takes the security of its products very seriously, with a comprehensive secure software development life-cycle process and clear quality and security standards for software development. There is a dedicated Security Response Process in place as the most visible evidence of our commitment.
The ATOSS R&D team is responsible for investigating all reported security vulnerabilities, working closely with the reporters of vulnerabilities to provide patches.
ATOSS informs the customers about the patches and their importance. Since the integrity and security of business operations is crucial for businesses in all industries, ATOSS as a provider of business software is absolutely committed to maintaining the highest possible level of security within its products. ATOSS encourages the responsible disclosure of security vulnerabilities.
If you have detected a vulnerability in one of our software products – either in the latest or in a former product version – please inform us about the issue.
Give ATOSS sufficient time to develop suitable fixes
Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to our customers. As a vendor of business software we provide security fixes not only for the latest version, but also for many older versions of our software products. This means that we need to develop and thoroughly test feasible patches for a broad range of product versions, which can take time.
Do not publicize vulnerabilities until ATOSS customers have had time to deploy fixes
The deployment of patches for ATOSS products is usually more complicated than a software upgrade on a consumer PC. Depending on the nature of the vulnerability, the deployment of patches or updates in some cases requires configuration or deployment tasks with regard to customer internal restriction or processes. Some of our customers follow for example regular patching cycles. Considering these circumstances, we ask all security researchers to give ATOSS customers sufficient time to implement patches in their systems. As a rule of thumb, we suggest respecting an implementation time at customer site of three months once the patch is released by ATOSS. Considering our customer interests, we ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time. Please also inform the R&D team about all your upcoming public advisories and external presentations with ATOSS product security content via email to firstname.lastname@example.org, including the intended content at least 3 weeks in advance.