IPS Product Security Assurance &Vulnerability Disclosure Policy

Overview

At IPS Network Inc. (“IPS”), our mission is to deliver secure, resilient, and trustworthy technologies that protect modern digital infrastructures across cloud, network, data, and AI environments. Security is embedded into every stage of our product lifecycle—from initial architecture to continuous operations.

IPS aligns its security assurance and vulnerability handling processes with globally recognized standards, including:

  • ISO/IEC 29147:2018 (Vulnerability Disclosure)
  • ISO/IEC 30111:2019 (Vulnerability Handling)
  • FIRST PSIRT Services Framework 1.0

Our commitment to transparency, responsibility, and customer protection reflects our core values: innovation, integrity, reliability, and partnership.

Scope

This policy covers all IPS products and services, including:

  • IPS OneSecure™ Platform
  • IPS Intelligent GenAI & AI Security Services
  • IPS Cloud, Network & Zero Trust Solutions
  • IPS Professional & Managed Services
  • Any IPS-hosted open-source projects

Only products that have not reached their End-of-Life (EoL) phase fall within this scope.

IPS Product Security Incident Response Team (PSIRT)

The IPS PSIRT is a dedicated team of security professionals responsible for:

  • Receiving and triaging reported vulnerabilities
  • Validating, reproducing, and assessing security issues
  • Coordinating remediation with engineering teams
  • Verifying fixes and risk mitigations
  • Issuing security advisories and customer notifications

The PSIRT ensures a consistent, transparent, and industry-aligned vulnerability response for all IPS products and services.

Reporting Vulnerabilities

IPS welcomes responsible disclosure from customers, researchers, partners, and the security community.

You may report vulnerabilities through the following channels:

1. Vulnerability Report Submission Form

Follow this link

2. Email

urgent@it-prosolution.com

If needed, IPS can provide a PGP key to encrypt sensitive submissions.

3. Customer Support Portal

Customers may submit potential issues through an authenticated support case.

IPS respects Traffic Light Protocol (TLP) labels attached to shared information, and treats all non-public vulnerability details as highly confidential.

To protect customers, IPS requests that reporters do not publish information publicly until IPS has validated and addressed the issue.

For issues involving IPS corporate IT infrastructure (not IPS products), reporters may use our dedicated Responsible Disclosure channel.

Vulnerability Response & Remediation Process

1. Acknowledgment

IPS generally acknowledges reports within one business day, providing a tracking identifier.

2. Analysis & Reproduction

PSIRT and engineering teams reproduce and assess the issue to determine:

  • Severity
  • Impact
  • Affected products and versions
  • Customer exposure

3. Remediation

Engineering teams work to implement, test, and validate fixes across supported versions.
Cloud-delivered services may be updated rapidly, while on-premise products follow regular release cycles.

4. Validation

PSIRT verifies that each fix fully resolves the vulnerability.

Proactive Security Practices

IPS actively performs:

  • Internal security assessments
  • Third-party penetration testing
  • Continuous monitoring of upstream libraries, open-source components, and third-party dependencies
  • Risk reviews during product development and maintenance

This ensures early detection and mitigation of emerging threats.

Secure Software Development Lifecycle

IPS follows a Security-by-Design methodology, including:

  • Threat modeling and secure architecture reviews
  • Code analysis and automated security testing
  • Dependency audits
  • Hardening, verification, and continuous improvements

IPS’s broader approach to product, infrastructure, and data security is detailed in the IPS Trust & Security Program.

Response Prioritization

IPS uses CVSS v4.0 scoring (CVSS-B / CVSS-BT) to prioritize remediation, considering:

  • Severity
  • Exploitation potential
  • Active exploitation (“0-day”)
  • Customer impact
  • Public disclosure timing

High-severity or actively exploited issues receive immediate priority.

Low-severity issues (CVSS < 4.0) or improvements with no demonstrated customer impact may be addressed in future releases without requiring a formal advisory.

If an issue depends on third-party vendors, standards bodies, or upstream maintainers, IPS may publish mitigations and recommended configurations if no direct fix is possible.

Coordinated Vulnerability Disclosure

When a reported issue affects multiple vendors, IPS engages in responsible multiparty coordination, following FIRST.org principles. IPS collaborates closely with researchers, partners, and affected vendors to ensure synchronized and safe disclosure.

Security Advisories

IPS publishes security advisories to ensure customers can take action when required.

  • Advisories typically include:
  • Affected IPS products and versions
  • Severity and CVSS scores
  • Required configurations
  • Workarounds or mitigations
  • Fix availability
  • CVE identifiers (when applicable)
  • Researcher acknowledgments

Advisory Publication Timing

  • Critical or actively exploited issues: Published as soon as practicable.
  • Other issues: Published on a scheduled basis following availability of fixes for all supported versions.

For IPS cloud services, advisories may not be published if:

  • IPS fully resolves the issue internally, and
  • No customer action is required.

IPS may provide maintenance logs for vulnerabilities resolved within IPS cloud infrastructure.

IPS participates in CVE assignment processes and adheres to CVE program operational rules.

Customers may subscribe to IPS Security Advisory notifications or RSS feeds.

Acknowledgement Policy

IPS values contributions from the security community.
Researchers may be acknowledged in:

  • IPS security advisories
  • CVE entries
  • IPS Hall of Fame (for issues without published advisories)

Acknowledgement is provided only with the reporter’s consent.

IPS may issue bounty rewards where applicable under the IPS Bug Bounty Program.

Escalation

If a reporter is dissatisfied with the handling of a case or has not received a timely update, escalation may be performed through IPS Customer Support.

Legal Notes

IPS supports good-faith security research.
If a researcher complies with IPS disclosure guidelines and acts responsibly, IPS:

  • Considers the research authorized
  • Will not initiate legal action
  • Will support the researcher in case of third-party misunderstanding of authorized testing

Disclaimer

This policy may be updated at any time without notice.
IPS cannot guarantee specific response timelines or outcomes for individual reports.
Use of this policy or associated materials is at the user’s own risk.

Change History

Updated: January 2025 — Policy modernization and alignment with IPS OneSecure™ platform

Published: February 2025 — Effective immediately