Vulnerability Response Policy

Introduction

Archer strives to help our customers minimize risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance, and mitigation options to address vulnerabilities. The Archer Vulnerability Response Team (Archer VRT) is chartered and responsible for coordinating the response and disclosure for all product vulnerabilities that are reported to Archer.


How to Report a Security Vulnerability

If you identify a security vulnerability in any Archer product, please report it to us immediately. Security researchers, industry groups, vendors, and other users that do not have access to Technical Support should send vulnerability reports directly to the Archer VRT via email. Timely identification of security vulnerabilities is critical to mitigating potential risks to our customers.

Archer customers and partners should contact their respective Technical Support team to report security vulnerability discovered in any Archer product. The Technical Support team, appropriate product team and the Archer VRT will work together to address the reported issue and provide customers with next steps, as appropriate.

When reporting a potential security vulnerability, please the below information to help us better understand the nature and scope of the reported issue:


  • Product name and version containing the vulnerability

  • Environment or system information under which the issue was reproduced (e.g., product model number, OS version, etc.)

  • Type and/or class of vulnerability (XSS, buffer overflow, RCE, CWE, etc.)

  • Step-by-step instructions to reproduce the vulnerability

  • Proof-of-concept or exploit code

  • Potential impact of the vulnerability


Handling Vulnerability Reports

Archer believes in maintaining a good relationship with security researchers and, with their agreement, may recognize a researcher for finding a valid security vulnerability and privately reporting the issue to the Archer VRT. In return, we ask that researchers give us the opportunity to remediate the security vulnerability before disclosing it publicly. Archer believes that coordinating the public disclosure of a security vulnerability is critical in helping to protect our customers.

With this policy, all disclosed information about \ vulnerabilities—is intended to remain between Archer and the reporting party—if the information is not already public knowledge—until a remedy is available and disclosure activities are coordinated.


Vulnerability Remediation

After investigating and validating a reported vulnerability, we will attempt to develop and qualify the appropriate remedy for Archer products under active support from Archer. A remedy may take one or more of the following forms:


  • A new release of the affected product packaged by Archer;

  • An Archer-provided patch that can be installed on top of the affected product;

  • Instructions for downloading and installing an update or patch from a third-party vendor that is required to mitigate the vulnerability;

  • A corrective procedure or workaround published by Archer that instructs users on adjustments to the product configuration to mitigate the vulnerability.


Archer makes every effort to provide the remedy or corrective action in the shortest commercially reasonable time. Response timelines depend on many factors, such as severity, impact, remedy complexity, the affected component (e.g., some updates require longer validation cycles or can only be updated in a major release), the stage of the product within its lifecycle, and status of business operations, among others.


Impact and Severity Ratings

Archer currently uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) open framework for communicating the characteristics and severity of software vulnerabilities.  Many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit, are taken into consideration.

The overall impact of a security advisory is a textual representation of the severity (i.e., critical, high, medium, or low) that follows the CVSS Severity Qualitative Severity Rating Scale for the highest CVSS Base Score of all identified vulnerabilities. When and where applicable, Archer will provide an overall impact for the advisory and, for each identified vulnerability the CVSS v3.1 Base Score and corresponding CVSS v3.1 Vector. Archer recommends that all customers consider both the base score and any temporal and/or environmental metrics that may be relevant to their environment to assess their overall risk.

Remedy Communication

Typically remedies are communicated to customers through Archer Security Advisories, where applicable. To protect our customers, Archer strives to release a Security Advisory via the Archer Community once a remedy in place for affected Archer product(s). However, Archer may release Security Advisories sooner to respond appropriately to public disclosures or widely known vulnerabilities in the components used within Archer products.

Archer Security Advisories are intended to provide details to allow customers to assess the impact of vulnerabilities and remedy potentially vulnerable products. Full details may be limited to reduce the likelihood of malicious users taking advantage of the information and exploiting it to the detriment of Archer customers.

Archer Security Advisories typically include the following information, as applicable:


  • The overall impact, as a textual representation of the severity (i.e. critical, high, medium, or low) that follows the CVSS Severity Qualitative Severity Rating Scale for the highest CVSS Base Score of all identified vulnerabilities;

  • Products and versions affected;

  • The CVSS Base Score and Vector for all identified vulnerabilities;

  • Common Vulnerability Enumeration (CVE) identifier for all identified vulnerabilities to enable information for each unique vulnerability to be shared across various vulnerability management capabilities (e.g., vulnerability scanners, repositories, and services);

  • Brief description of the identified vulnerabilities and potential impact if exploited;

  • Remediation details with update/workaround information;


Acknowledgment to the finder for privately reporting the vulnerability and working with Archer on a coordinated release, as applicable.


Additional Disclosure Information

As policy, Archer does not provide information about vulnerabilities beyond what is provided in the Archer Security Advisory and related documentation, such as release notes, knowledgebase articles, FAQs, etc. We do not distribute exploit/proof of concept code for identified vulnerabilities. In accordance with industry practices, Archer does not share the findings from internal security testing or other types of security activities with external entities.


Notifying Archer of other Security Issues


To report any other security issue to Archer, please use the appropriate contacts listed below:


To report a security vulnerability or issue in ArcherIRM.com or other online service, web application or property, submit a report at [email protected] with step-by-step instructions to reproduce the issue.


To submit privacy related requests or questions, see Archer Privacy page.


Customer Entitlements: Warranties, Support, and Maintenance

Entitlements of Archer customers regarding warranties and support and maintenance—including vulnerabilities in any Archer software product—are governed by the applicable agreement between Archer and the individual customer. The statements on this web page do not modify, enlarge, or otherwise amend any customer rights or create any additional warranties.


Disclaimer

All aspects of the Archer Vulnerability Response Policy are subject to change without notice and on a case-by-case basis. Response is not guaranteed for any specific issue or class of issues. Your use of the information contained in this document or materials linked herein is at your own risk. Archer reserves the right to change or update this document in its sole discretion and without notice at any time.