Security Policy
- Wang Wei
At IGS, we take security seriously; read below for our app security processes. If you need urgent support, don't hesitate to contact us.
IGS's process for handling vulnerabilities discovered within our Apps is as follows:
Investigate the scope
The investigation will commence upon being notified between 9 am - 6 pm (HKT).
Identify the root cause of the incident, for example, by consulting access, audit, and application logs, reviewing code, etc.
Confirm whether any end-user data might have been compromised.
Determine how long the security issue might have been present.
Determine which users of your app were affected and all information that was or may have been compromised.
Consider engaging external help, such as an incident response partner or security consultant, to help with this process if required.
Â
Notify Atlassian immediately once the vulnerability is confirmed.
This is via Atlassian Marketplace / Report Incident, which ends up at Developer Service Desk
Contain the incident:
Deploying a fixed version of the application to our cloud hosting
Disabling access to a specific cloud app
Disabling customer access to our cloud hosting - i.e. stop all access to our apps
Â
Recovery from the incident
(e.g. restore backups, revert unauthorised changes)
Notify customers
Create an incident affecting the affected app on https://igs.statuspage.io/
Identify exactly which customers have been affected and to what extent
Send an email from support@igsl-group.com to customers in BCC to notify them of the vulnerability, including a link to StatusPage, CVSS rating, acknowledgement of security researchers
Â
Review response
We will conduct an internal meeting to determine what can be done to minimise the chance of similar issues surfacing again. This can be scheduled 1-2 weeks in the future to ensure we have time to analyse the issue thoroughly:
Are there any indicators of compromise that are still present? (monitoring tools can also be used to help confirm this)
Are there any lessons that have been learned from the response to the incident that needs to be used to update IGS's response process? Are there any lessons to reduce the time taken to investigate or resolve the situation?
Have any actions been taken to reduce the chances of a similar future security compromise?
Does your logging need to be improved to expedite the investigation for any future incidents?
If the external cyber security advisers/incident response firm has been involved, do they agree the incident is resolved?
Â
Closure
This stage will ensure StatusPage, BugCrowd ticket, and Atlassian ticket are all closed and all communications have been closed.
Â