Vulnerability Reporting Management
While Absolute strives to make its software and services as secure as possible, it is a fact of life that complex software systems inevitably have bugs, and sometimes these bugs lead to vulnerabilities. We catch the vast majority of bugs and vulnerabilities through our own internal testing, and most of the remainder through our regular engagements with third party testing companies, but sometimes something slips through. When we discover that this has happened we aim to address the issue as quickly as possible, notify our customers if there is any risk to them and release details of what was fixed once we have a fix.
How Absolute processes vulnerability reports
Whenever Absolute becomes aware of a potential security vulnerability we will quickly move to assess the issue. We will first replicate the problem and then determine if the problem is represents a security risk to our customers and/or Absolute’s own systems. If we do find that there is any risk then we immediately seek to identify both a fix for the underlying problem and also tactical mitigations that will reduce the imminent risk, as well as setting in motion a process to identify the root cause of how the vulnerability made it into the product in the first place.
In the event that we identify a risk and we are have either a mitigation or a fix, we then move to inform our customers. Customer will receive notification in their Absolute console when they log in (guest users do not receive these notifications) and we will also inform customers through the email address that they registered with Absolute when they bought the product. If you want to specify a separate email address for the notification of security issues that is distinct from other customer contact email addresses then please contact your sales representative or the Absolute Customer Service team.
After the issue has been resolved (and, if necessary, fixes have been made available) we will post details of the issue, including impacted versions of the software or service and recommended mitigations, to our web site.
Reporting a vulnerability to Absolute
We can’t fix vulnerabilities unless we know about them. That’s why our vulnerability reporting program doesn’t just cover how we keep our customers informed but also how we work with customers, partners and security researchers to receive reports of issues, assess them, address them and credit those who helped us, and to do so in as transparent a way as possible while maintaining the security of our systems and data and those of our customers.
All reports are carefully reviewed and we will get back to you as soon as possible. If we need more details in order to assess the issue then we will let you know. Once we have sufficient details of the issue we will aim to replicate the problem, confirm the issue, determine its severity and, if it is a viable threat, identify any mitigations that can be deployed while we work on a fix. Throughout this process we will aim to keep you informed as much as possible.
Depending on the nature of the issue, the time to fixing the problem can vary a great deal. For simple configuration issues we can often resolve the issue right away; for issues in client code that is distributed through our OEM partners it can take rather longer to get a fix into the hands of our customers. In we aim to resolve all high severity security vulnerabilities within 90 days but in most cases the fix can happen much sooner; on rare occasions it can take longer, especially our OEMs or third parties are involved. During this period we greatly appreciate bug reporters keeping the issues confidential as we work with them to solve the problem.
In the event that you report a product issue that might have impact on our customers we will likely issue a security notice and, if the issue is of non-trivial severity, we may release the details with a CVE number. In the event that we release details we are more than happy to give the discoverer of the issue public credit if desired; if you prefer to remain anonymous we will honor that choice. We will ask you which you prefer before we release details.
Please note that like many companies these days, we do not in general offer cash bug bounties for issues that are discovered outside of any formal, by-invitation vulnerability assessment process.Download PGP Public Key