If you believe that you have discovered a security or privacy vulnerability in a Xona product, please report it to us.
If instead, you’re looking for technical support for a potential security issue please contact Xona Customer Success (customersuccess@xonasystems.com). Do not email any security related issues without reviewing this entire page first.
How to Report a Vulnerability
Xona utilizes OpenPGP encryption for secure communication. You can download our public PGP key below and send it to product-security@xonasystems.com. To report a suspected security vulnerability, please send a secure message to our team. You can encrypt your message using our PGP key to ensure secure communication using the instructions below.
Reports should provide:
- Specific hardware (or VM environment).
- Product and software version(s) that you believe are affected.
- A technical description of the behavior that you observed and the behavior that you expected.
- The steps required to reproduce the issue.
- A proof of concept or exploit.
PGP Encryption Instructions:
- Upload your public PGP key here.
- Download our Xona public key here.
- Within your email tool, encrypt your secure message containing the vulnerability submission contents above using PGP inline encryption with the Xona public key.
- Send email to product-security@xonasystems.com.
Our Response Process
Xona’s engineering team will review all reports that are submitted directly to us. After you submit your report via email, you’ll receive an automatic acknowledgement that we received your report. We do not issue bug bounties for reporting vulnerabilities.
For the protection of our customers, Xona doesn’t disclose or discuss security issues until our investigation is complete and any necessary updates are generally available (30-60 days).
Xona uses our product release notes to publish information about security fixes in our products and to publicly credit people or organizations that have reported security issues to us.
Xona will also assign a CVE number to the reported vulnerability and provide details of the security issue/fix on our Security Advisories Page.
Please make sure that you include the information covered above. If your report doesn’t include enough information to allow us to reproduce the issue, we may not be able to accept your report. Do not including customer specific or PII related information in your reports.
Confidentiality
Any contact information shared with Xona regarding security vulnerabilities is treated with strict confidentiality and is not disclosed to third parties. Only a select group of authorized Xona employees have access to submissions. If the security vulnerability is determined to be a widescale issue we will report and communicate through official channels, but your information and identity will remain anonymous.
Existing CVEs
You can see the list of CVEs that have been reported and fixed on our Security Advisories page.
Thank you for your commitment to helping us maintain the security of Xona products and services. We value your contributions in keeping our systems safe and secure.