Vulnerability Reporting Management
While Absolute strives to make its software and services as secure as possible, it’s a fact of life that complex software systems inevitably have bugs - and sometimes these bugs lead to vulnerabilities. We catch the vast majority of bugs and vulnerabilities through our own internal testing, and most of the remainder through our regular engagements with third party testing companies, but sometimes something slips through. When we discover this has happened, we aim to address the issue as quickly as possible, notify our customers if there is any risk to them, and release further details once we have a fix.
How Absolute processes vulnerability reports
Whenever Absolute becomes aware of a potential security vulnerability we will quickly move to assess the issue. We first replicate the problem, and then determine whether the issue represents a security risk to our customers or our own systems. If we discover any risk, we immediately start work on a fix for the underlying problem, as well as tactical mitigations to reduce the imminent risk. We also set in motion a process to identify the root cause of how the vulnerability made it into the product in the first place.
Once we identify a risk and have established a mitigation or a fix, we reach out to inform our customers. Customers receive notification in their Absolute console when they log in (guest users do not receive these notifications), and we inform customers through the email address they provided to Absolute. Users can also specify a separate email address for the notification of security issues by contacting their sales representative or the Absolute Customer Service team.
After the issue has been resolved (and fixes have been made available, if necessary) we will post details of the issue on our website, including impacted versions of the software or service and recommended mitigations.
Reporting a vulnerability to Absolute
We can’t fix vulnerabilities unless we know about them. That’s why our vulnerability reporting program doesn’t just cover how we keep our customers informed, but also how we work with customers, partners, and security researchers to receive reports of issues, assess them, and address them with as much transparency as possible while maintaining the security of our systems and data, and those of our customers.
All reports are carefully reviewed, and we will get back to you as soon as possible. If we need more details in order to assess the issue, we will let you know. Once we have sufficient details, we begin our vulnerability remediation process,keeping you informed as much as possible along the way.
Depending on the nature of the issue, the fix turnaround time can vary a great deal. For simple configuration issues we can often resolve the issue right away; for issues in client code distributed through our OEM partners, it can take longer to get a fix into the hands of our customers. We aim to resolve all high-severity security vulnerabilities within 90 days. In most cases the fix happens much sooner, but on rare occasions it can take longer, especially when OEMs or third parties are involved. During this period, we greatly appreciate bug reporters keeping the issues confidential as we work with them to solve the problem.
In the event that you report a product issue that might have impact on our customers, we will likely issue a security notice and - if the issue is of non-trivial severity - we may release the details with a CVE number. Before we release details, we always ask if you would like to receive public credit as the discoverer of the issue, or if you prefer to remain anonymous. Please note that we do not offer cash bug bounties for issues that are discovered outside of any formal, by-invitation vulnerability assessment process.Download PGP Public Key