Fortra Vulnerability Disclosure Policy Statement

Purpose

Fortra LLC (“Fortra”), a global cybersecurity software and services provider, is committed to the safety and security of its customers, employees, and partners. We believe that the security community and security researchers play a vital role in protecting all users from harm and appreciate their contributions to the greater good. Reporting security vulnerabilities will help us improve the security and privacy of our customers and users. Please use the following process to report suspected vulnerabilities so we may assess and resolve any issues found in Fortra products and services. If a vulnerability is validated, we may assign a CVE to the issue.

Reporting Security Issues

If you believe you have discovered a vulnerability in a Fortra product or have a security incident to report, please complete the form here.

When reporting:

• Describe the vulnerability including the affected product, version, and operating system or environment.
• Include the steps required to reproduce the vulnerability (Proof-of-Concept scripts, screenshots and other evidence showing the exploit).
• Provide information about the potential impact of the vulnerability and potential remediation, if possible.
• Provide contact information for us to follow up with you.
• Please do not include: any personally identifiable information of any person other than yourself or any information protected by data privacy laws.

Please let us know if and how you would like to be credited in public advisories (by name, company, organization, etc.). Fortra does not provide any financial awards for finding issues or participate in any public bug bounty programs.

When we have received a report, Fortra will:

1. Investigate and verify the vulnerability. Addresses the vulnerability. This may include an upgrade or patch, remediation steps, or configuration changes as appropriate. If a fix cannot be made in a timely manner, Fortra will endeavor to provide mitigation instructions or take action to protect customers as appropriate.
2. Publicly announce the vulnerability in the release notes of the update and/or a security advisory. Fortra may also issue additional public announcements, for example via social media, our blog, and media.
3. Reference the reporter who submitted the vulnerability, unless they would prefer to stay anonymous.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services, and better protect our customers. Thank you for working with us through the above process.

Coordinated Vulnerability Disclosure (CVD) Policy

In keeping with standard industry practices around Coordinated Vulnerability Disclosure (CVD), Fortra will typically prepare and publish advisories detailing newly discovered vulnerabilities approximately 60 days after our initial attempts at private disclosure. All Fortra advisories will be published via the Fortra Security and Trust Centre, although additional announcements may be made via blog posts, social media, and media engagement.

Please note, technical vulnerabilities often involve undefined behavior and unexpected interactions. Therefore, Fortra may modify the timeline for disclosure at our sole discretion. Additionally, Fortra has made a commitment to our customers and reserves the right to notify our customers immediately after identifying a threat to their environment.

All Vulnerabilities (The Default Policy)

1. Fortra will confidentially disclose discovered vulnerabilities to the Software or Service Vendor that is in the best position to address that vulnerability with a resolution. That organization is the "vendor".
   • If the vendor is not a CVE Partner, Fortra will reserve a CVE ID.
2. After 15 days, if the vendor has not acknowledged our initial disclosure by this time, Fortra will presume they are a "non-responsive vendor."
3. After 60 days of confidential disclosure to the vendor, Fortra will publicly disclose vulnerability information, including CVE descriptions, opinions on risk, impact, and mitigation strategies, and, in some cases, enough technical detail to demonstrate the issue (collectively, "vulnerability details").
   • During this 60 day window, Fortra expects the vendor will develop a resolution and make any update available for affected parties.
4. If the vendor is showing consistent good-faith effort to develop and ship an update, but cannot complete this work within 60 days, an extension may be granted. If Fortra becomes aware that an update was made generally available, then the vulnerability details may be published earlier than initially scheduled.

Exploited In the Wild

This is the case where we see active exploitation in a production environment, including our own. The goal in these situations is to release critical information about risk as quickly as possible so organizations may take informed action to protect themselves.

This policy is identical to the default policy but for these changes:

1. Fortra will aim to notify the vendor and publish public vulnerability information approximately 72 hours after discovery, regardless of the existence of an update.
2. If the vulnerability was found within an organization’s environment, Fortra will strive to notify directly affected organizations of the disclosure first.
3. Fortra will notify all impacted customers immediately upon discovering that they are impacted by the threat.

Cloud/Hosted Vulnerabilities

This is the case where end users or implementers have nothing to fix on their end — fixing the issue requires only one vendor to act.

This policy is identical to the default policy but for these changes:

1. A CVE ID will not be reserved by Fortra.
2. If the issue is resolved inside the 60 day coordination window, Fortra will assess the value of a public disclosure. If the issue remains unresolved after the coordination window closes, a public disclosure may be issued per the default policy.

Low-Impact Vulnerabilities

These vulnerabilities are trivial enough that an exploit would cause safely ignorable consequences to affected production environments, or limited to a single production instance, such as one website not connected to critical infrastructure, or extant in only theoretical or very unlikely configurations of affected systems.

This policy is identical to the default policy but for these changes:

1. Fortra may not publish vulnerability details at any point but may do so if circumstances change (for example, if it's shown that this low-impact vulnerability can be chained with another to achieve a high-impact result).