Responsible Disclosures

How ForAllSecure Handles Security Vulnerabilities

As a provider of application security testing solutions and services, we recognize the importance of safely disclosing vulnerabilities to ensure the security of vendors and their users. Security is critical for maintaining user trust and we strive to build innovative products that serve user needs and operate in their best interest.

 

ForAllSecure follows a responsible disclosure policy. Vulnerability disclosure is a two-way street. We need to recognize it takes time, once a vulnerability is reported, to fix the bug. Further, it takes time for the users of the software to upgrade.

 

For open source, our disclosure policy follows Google's, which is available here.

 

Our disclosure policy for all ForAllSecure employees, contractors, and team members is as follows:

1.   If a deadline is due to expire on a weekend, a US public holiday, or a ForAllSecure holiday, the deadline will be moved to the next business day.
2.   We have a 90 day public disclosure deadline after notification. We may publicize sooner in the case of (3) and (4) below. We will not publicize any unpatched vulnerabilities until after the 90 day period has expired.
3.   In the event the vulnerability is fixed and a patch is available, we will wait until the vendor publicly provides disclosure or 30 days before we will disclose, whichever is shorter. 
4.   If the vendor/developer lets us know that a patch is scheduled to be released on a specific day before the 90 day deadline, we will delay public disclosure until the availability of that patch. 
5.   We reserve the right to move back or forward any deadlines when deemed necessary by ForAllSecure.

Reporting Security Issues

If you believe you have discovered a vulnerability in a ForAllSecure product and/or offering or have a security incident to report, please reach out via security@forallsecure.com.