Vulnerability Responsible Disclosure Policy
Reporting Security Vulnerabilities
Venafi supports the security research community and welcomes reports of vulnerabilities in its infrastructure / products. Venafi treats all reports with high priority. Venafi is committed to reviewing and addressing any identified security issues through a coordinated and constructive approach.
Security researchers, industry groups, government organizations, vendors, and partners are encouraged to report any potential vulnerabilities to Venafi using the submission instructions below.
Submission Instructions
Email your findings to the Venafi Security Team at security@venafi.com. Direct any reports only to Security Team’s email address - security@venafi.com
It is important to include the following information in the report to Venafi:
- Your name and contact information
- Organization (if applicable)
- Venafi products/solutions with versions / any infrastructure affected
- A detailed description of the potential vulnerability
- Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue
- Any known information about active/new exploits
- Assumed impact / severity
Compliance Guidelines
To protect Venafi’s employees, partners and the business, it requests any external security researchers / groups to maintain compliance with this policy. Venafi takes security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.
A report will be considered as compliant ONLY if the following guidelines are adhered to by the reporting party:
- Any finding is not publicly disclosed without express written consent from Venafi.
- Any submission is ONLY made to the security@venafi.com distro.
- Only communication method(s) approved and stated by Venafi after submission are used.
- No disruptive testing like Denial of Service (DoS) or any similar action is performed that could impact the confidentiality, integrity or availability of Venafi’s infrastructure / products.
- No social engineering attacks against Venafi employees, partners, or representatives are performed.
- No physical security attacks are committed against any person or entity associated with Venafi.
- No payment or other rewards are demanded as a condition of providing information on any security vulnerabilities.
- No exploitation is performed of any vulnerability discovered to view data or alter data without explicit authorization.
- No testing of third-party applications, websites, or services that integrate with or link from or to Venafi.
Questions
Please refer any questions on this to security@venafi.com