Reporting Security Vulnerabilities -
Venafi supports the security research community and welcomes reports of vulnerabilities in its infrastructure / products. Venafi treats all reports with high priority. Venafi is committed to reviewing and addressing any identified security issues through a coordinated and constructive approach.
Security researchers, industry groups, government organizations, vendors, and partners are encouraged to report any potential vulnerabilities to Venafi using the submission instructions below.
Submission Instructions –
It is important to include the following information in the report to Venafi:
• Your name and contact information
• Organization (if applicable)
• Venafi products/solutions with versions / any infrastructure affected
• A detailed description of the potential vulnerability
• Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue
• Any known information about active/new exploits
• Assumed impact / severity
Acknowledgement after receiving a report -
Once a report is properly submitted to the firstname.lastname@example.org , Venafi’s Security Team will provide acknowledgement of receipt of your vulnerability report within 48 to 72 business hours of submission. If the report is submitted during the weekend or a U.S. public holiday, it will be acknowledged in the next 48 to 72 business hours.
Compliance Guidelines –
To protect Venafi’s employees, partners and the business, it requests any external security researchers / groups to maintain compliance with this policy. Venafi takes security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.
A report will be considered as compliant ONLY if the following guidelines are adhered to by the reporting party:
• Any finding is not publicly disclosed without express written consent from Venafi.
• Any submission is ONLY made to the email@example.com distro.
• Only communication method(s) approved and stated by Venafi after submission are used.
• No disruptive testing like Denial of Service (DoS) or any similar action is performed that could impact the confidentiality, integrity or availability of Venafi’s infrastructure / products.
• No social engineering attacks against Venafi employees, partners, or representatives are performed.
• No physical security attacks are committed against any person or entity associated with Venafi.
• No payment or other rewards are demanded as a condition of providing information on any security vulnerabilities.
• No exploitation is performed of any vulnerability discovered to view data or alter data without explicit authorization.
• No testing of third-party applications, websites, or services that integrate with or link from or to Venafi.
Please note that Venafi currently does not offer a bug bounty program or compensation for disclosure. But if you have reported an issue that is determined to be a valid security issue and have followed all Venafi’s guidelines, Venafi will recognize and credit you for the finding (if you are the first one to report a unique vulnerability) in Venafi’s Hall of Fame / Quarterly Report, in addition to providing you with any available swag. You will be allowed to disclose the vulnerability after a fix has been issued by Venafi, and Venafi has formally approved the disclosure.
Please refer any questions on this to firstname.lastname@example.org