Vulnerability Responsible Disclosure Policy
Vulnerability Responsible Disclosure Policy
Reporting Security Vulnerabilities
Venafi supports the security research community and welcomes reports of vulnerabilities in its infrastructure / products. Venafi treats all reports with high priority. Venafi is committed to reviewing and addressing any identified security issues through a coordinated and constructive approach.
Security researchers, industry groups, government organizations, vendors, and partners are encouraged to report any potential vulnerabilities to Venafi using the submission instructions below.
Submission Instructions
Email your findings to the Venafi Security Team at security@venafi.com. Direct any reports only to Security Team’s email address - security@venafi.com. Send only one email and do not reply again to that email.
It is important to include the following information in the report to Venafi:
- Your name and contact information
- Organization (if applicable)
- Venafi products/solutions with versions / any infrastructure affected
- A detailed description of the potential vulnerability
- Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue
- Any known information about active/new exploits
- Assumed impact / severity
Requirements for Valid Submission
To protect Venafi’s employees, partners and the business, it requests any external security researchers / groups to maintain compliance with this policy. Venafi takes security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.
A report will be considered and responded to ONLY if the following guidelines are adhered to by the reporting party:
- Reports must relate to Venafi infrastructure or products, not sign-in pages managed by a third party, including success.venafi.com and Venafi.okta.com.
- Any finding is not publicly disclosed without express written consent from Venafi.
- Any submission is ONLY made to the security@venafi.com distro without duplicate submissions or replies.
- No attachments to the submission.
- Only communication method(s) approved and stated by Venafi after submission are used.
- No disruptive testing like Denial of Service (DoS) or any similar action is performed that could impact the confidentiality, integrity or availability of Venafi’s infrastructure / products.
- No social engineering attacks against Venafi employees, partners, or representatives are performed.
- No physical security attacks are committed against any person or entity associated with Venafi.
- No payment or other rewards are demanded as a condition of providing information on any security vulnerabilities.
- No exploitation is performed of any vulnerability discovered to view data or alter data without explicit authorization.
- No testing of third-party applications, websites, or services that integrate with or link from or to Venafi.
- Any reporting or testing of services controlled by a third party must be done and reported to the third party, not Venafi, following their security disclosure instructions.
Questions
Please refer any questions on this to security@venafi.com