Reporting Security Vulnerabilities
Venafi supports the security research community and welcomes reports of vulnerabilities in its infrastructure / products. Venafi treats all reports with high priority. Venafi is committed to reviewing and addressing any identified security issues through a coordinated and constructive approach.
Security researchers, industry groups, government organizations, vendors, and partners are encouraged to report any potential vulnerabilities to Venafi using the submission instructions below.
Email your findings to the Venafi Security Team at firstname.lastname@example.org. Direct any reports only to Security Team’s email address - email@example.com
It is important to include the following information in the report to Venafi:
- Your name and contact information
- Organization (if applicable)
- Venafi products/solutions with versions / any infrastructure affected
- A detailed description of the potential vulnerability
- Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue
- Any known information about active/new exploits
- Assumed impact / severity
Acknowledgement after receiving a report
Once a report is properly submitted to the firstname.lastname@example.org, Venafi’s Security Team will provide acknowledgement of receipt of your vulnerability report within 48 to 72 business hours of submission. If the report is submitted during the weekend or a U.S. public holiday, it will be acknowledged in the next 48 to 72 business hours.
To protect Venafi’s employees, partners and the business, it requests any external security researchers / groups to maintain compliance with this policy. Venafi takes security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.
A report will be considered as compliant ONLY if the following guidelines are adhered to by the reporting party:
- Any finding is not publicly disclosed without express written consent from Venafi.
- Any submission is ONLY made to the email@example.com distro.
- Only communication method(s) approved and stated by Venafi after submission are used.
- No disruptive testing like Denial of Service (DoS) or any similar action is performed that could impact the confidentiality, integrity or availability of Venafi’s infrastructure / products.
- No social engineering attacks against Venafi employees, partners, or representatives are performed.
- No physical security attacks are committed against any person or entity associated with Venafi.
- No payment or other rewards are demanded as a condition of providing information on any security vulnerabilities.
- No exploitation is performed of any vulnerability discovered to view data or alter data without explicit authorization.
- No testing of third-party applications, websites, or services that integrate with or link from or to Venafi.
Please note that Venafi currently does not offer a bug bounty program or compensation for disclosure. But if you have reported an issue that is determined to be a valid security issue and have followed all Venafi’s guidelines, Venafi will recognize and credit you for the finding (if you are the first one to report a unique vulnerability) in Venafi’s Hall of Fame / Quarterly Report, in addition to providing you with any available swag. You will be allowed to disclose the vulnerability after a fix has been issued by Venafi, and Venafi has formally approved the disclosure.
Please refer any questions on this to firstname.lastname@example.org