Skip to main content
Voice 54a header
venafi logo

Vulnerability Responsible Disclosure Policy

Vulnerability Responsible Disclosure Policy

Reporting Security Vulnerabilities -

Venafi supports the security research community and welcomes reports of vulnerabilities in its infrastructure / products. Venafi treats all reports with high priority. Venafi is committed to reviewing and addressing any identified security issues through a coordinated and constructive approach.

Security researchers, industry groups, government organizations, vendors, and partners are encouraged to report any potential vulnerabilities to Venafi using the submission instructions below.

Submission Instructions –

Email your findings to the Venafi Security Team at Direct any reports only to Security Team’s email address -

It is important to include the following information in the report to Venafi:

• Your name and contact information
• Organization (if applicable)
• Venafi products/solutions with versions / any infrastructure affected
• A detailed description of the potential vulnerability
• Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue
• Any known information about active/new exploits
• Assumed impact / severity

Acknowledgement after receiving a report -

Once a report is properly submitted to the , Venafi’s Security Team will provide acknowledgement of receipt of your vulnerability report within 48 to 72 business hours of submission. If the report is submitted during the weekend or a U.S. public holiday, it will be acknowledged in the next 48 to 72 business hours.

Compliance Guidelines –

To protect Venafi’s employees, partners and the business, it requests any external security researchers / groups to maintain compliance with this policy. Venafi takes security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.

A report will be considered as compliant ONLY if the following guidelines are adhered to by the reporting party:

• Any finding is not publicly disclosed without express written consent from Venafi.
• Any submission is ONLY made to the distro.
• Only communication method(s) approved and stated by Venafi after submission are used.
• No disruptive testing like Denial of Service (DoS) or any similar action is performed that could impact the confidentiality, integrity or availability of Venafi’s infrastructure / products.
• No social engineering attacks against Venafi employees, partners, or representatives are performed.
• No physical security attacks are committed against any person or entity associated with Venafi.
• No payment or other rewards are demanded as a condition of providing information on any security vulnerabilities.
• No exploitation is performed of any vulnerability discovered to view data or alter data without explicit authorization.
• No testing of third-party applications, websites, or services that integrate with or link from or to Venafi.

Credit –

Please note that Venafi currently does not offer a bug bounty program or compensation for disclosure. But if you have reported an issue that is determined to be a valid security issue and have followed all Venafi’s guidelines, Venafi will recognize and credit you for the finding (if you are the first one to report a unique vulnerability) in Venafi’s Hall of Fame / Quarterly Report, in addition to providing you with any available swag. You will be allowed to disclose the vulnerability after a fix has been issued by Venafi, and Venafi has formally approved the disclosure.

Questions -

Please refer any questions on this to

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more