Vulnerability Disclosure Policy
Purpose
This policy has been established to set forth the reporting and disclosure process that Coalfire Systems, Inc. and its subsidiaries (collectively, “Coalfire”) adheres to when receiving vulnerability reports on our CoalfireONE software platform and when Coalfire researchers identify vulnerabilities in non-Coalfire products or services.
Scope
Coalfire personnel may discover previously unreported vulnerabilities in products and services during the course of executing contracted work. Additionally, Coalfire personnel may be assigned research projects that include examining third party products and services for vulnerabilities. These two activities are governed by this policy.
Coalfire personnel may also perform vulnerability research for fun or profit on their own time, unrelated to Coalfire contracts or research projects. This policy does not govern that activity.
Reporting vulnerabilities to Coalfire
If you have discovered a vulnerability in a Coalfire product or service, please contact support@coalfire.com. If this issue is significant enough to merit encryption, we can support most modern secure messaging solutions, please let us know your preference.
Once we have received a vulnerability report, the following steps are taken:
- Coalfire confirms receipt of the issue with the reporter.
- Coalfire opens an investigation to verify the vulnerability. Coalfire will work with the reporting entity to gather as much information as needed to verify the vulnerability.
- If the reporting entity is unable to produce information needed to verify the vulnerability, the issue will be closed.
- Upon verification, Coalfire establishes a plan to remediate the vulnerability.
- Coalfire executes the remediation plan and includes the security fix information in the release notes of the product, crediting the reporting entity unless the reporting entity would prefer to not be named.
- After implementing the remediation and publishing the release notes, the issue will be closed.
Throughout this process, Coalfire will operate as transparently as practical and will maintain open lines of communication until the issue is closed.
Reporting vulnerabilities to vendors
When members of the Coalfire team identify vulnerabilities in a third party product or service:
- Coalfire will attempt to contact the vendor.
- First contact: Coalfire will attempt to contact the vendor by email and phone, using one or more of the addresses or numbers from these sources in this order:
- published vulnerability reporting instruction
- “contact us” information published on the vendor’s web page
- Sales or support contact information
- DNS or whois information
- Second contact: In the event the first contact fails to receive a response within 7 calendar days, Coalfire will call the vendor using one or more of the numbers found:
- On the vendor’s website
- On the vendor’s support literature
- On the vendor’s sales literature
- Third contact: In the event there is no response from the vendor within 14 calendar days from first contact, Coalfire will deliver a letter by postal mail to the address on record for the vendor, with delivery tracking.
- If there is no response within 7 calendar days of receiving the letter, Coalfire will proceed with step 4.
- First contact: Coalfire will attempt to contact the vendor by email and phone, using one or more of the addresses or numbers from these sources in this order:
- Upon contact, Coalfire will provide the vendor all the information gathered regarding the vulnerability.
- Barring extenuating circumstances, Coalfire will prepare a vulnerability advisory and assign a CVE ID to the vulnerability upon:
- Being notified by the vendor the issue has been remediated
- 45 days after making contact without remediation
- 45 days after attempting initial contact without response.
- Coalfire will post the vulnerability advisory to the vulnerability disclosure section of the Coalfire.com website for availability to the general public.
Throughout this process, Coalfire will operate as transparently as practical and will maintain open lines of communication until the issue is closed.
Adherence to confidentiality and IP ownership
All vulnerabilities or risk findings that are discovered as a result of services performed pursuant to a client engagement are the property of the client and will not be disclosed to any external entity other than the client without the client’s written permission, except in cases where disclosure is mandated by law. Therefore, without express written permission, Coalfire will not release the vulnerability details to any other entity. Coalfire reserves the right, however, to leverage vulnerability or risk findings on other work performed for any client.
Feedback
All right, title and interest in and to any feedback provided to Coalfire regarding a Coalfire product or service (collectively, “Feedback”) are the exclusive property of Coalfire. By providing Feedback to Coalfire, the reporter conveys to Coalfire any rights and interests he or she may have in any Feedback.