Absolute Vulnerability Reporting and Management
While Absolute strives to make its software and services as secure as possible, it’s a fact of life that complex software systems inevitably have bugs - and sometimes these bugs lead to vulnerabilities. We catch most bugs and vulnerabilities through our own internal testing, and most of the remainder through our regular engagements with third-party testing companies, but sometimes something slips through. When we discover this has happened, we aim to address the issue as quickly as possible, notify our customers if there is any risk to them, and release further details once we have a fix.
How Absolute processes vulnerability reports
Whenever Absolute becomes aware of a potential security vulnerability, we will quickly move to assess the issue. We first replicate the problem, and then determine whether the issue represents a security risk to our customers or our own systems. If we discover any risk, we immediately start work on a fix for the underlying problem, as well as tactical mitigations to reduce the imminent risk. We also set in motion a process to identify the root cause of how the vulnerability made it into the product in the first place.
Once we identify a risk and have established a mitigation or a fix, we reach out to inform our customers. Customers receive notification in their Absolute Console when they log in (guest users do not receive these notifications), and we inform customers through the email address they provided to Absolute. Users can also specify a separate email address for the notification of security issues by contacting their Absolute Account Manager or the Absolute Customer Service team.
After the issue has been resolved (and fixes have been made available, if necessary) we will post details of the issue on our website, including impacted versions of the software or service and recommended mitigations.
Reporting a vulnerability to Absolute
We can’t fix vulnerabilities unless we know about them. That’s why our vulnerability reporting program doesn’t just cover how we keep our customers informed, but also how we work with customers, partners, and security researchers to receive reports of issues, assess them, and address them with as much transparency as possible while maintaining the security of our systems and data, and those of our customers.
If you think you've identified any sort of security vulnerability, please contact us immediately at [email protected]. If you feel the vulnerability is severe, or the details are particularly sensitive, please send any sensitive information encrypted using PGP or GnuPG using the public key available at the bottom of this page.
All reports are carefully reviewed, and we will get back to you as soon as possible. If we need more details to assess the issue, we will let you know. Once we have sufficient details, we begin our vulnerability remediation process, keeping you informed as much as possible along the way.
Depending on the nature of the issue, the fix turnaround time can vary a great deal. For simple configuration issues we can often resolve the issue right away; for issues in client code distributed through our OEM/system manufacturers partners, it can take longer to get a fix into the hands of our customers. We aim to resolve all high-severity security vulnerabilities within 90 days. In most cases the fix happens much sooner, but on rare occasions it can take longer, especially when OEM/system manufacturers or third parties are involved. During this period, we greatly appreciate bug reporters keeping the issues confidential as we work with them to solve the problem.
If you report a product issue that might have impact on our customers, we will likely issue a security notice and - if the issue is of non-trivial severity - we may release the details with a CVE number. Before we release details, we always ask if you would like to receive public credit as the discoverer of the issue, or if you prefer to remain anonymous. Please note that we do not offer cash bug bounties for issues that are discovered outside of any formal, by-invitation vulnerability assessment process.Download PGP Public Key
Secure Access Products Disclosure Policy
As a market-leading vendor of security solutions, Absolute is dedicated to the pursuit of security excellence throughout the product lifecycle. This document describes how we respond to reports of security vulnerabilities in our products.
Absolute is interested in learning about all real and perceived vulnerabilities in our software, whether currently supported or in an end-of-development, end-of-sale, or end-of-support phase.
Not all vulnerability reports made to us will be responded to in the same way. Responses to vulnerabilities that are considered ‘In Scope’ will follow the processes outlined here. Responses to vulnerabilities that are considered ‘Out of Scope’ will be addressed on a case-by-case basis.
The following types of vulnerabilities are in-scope for the purposes of our security response processes.
- Vulnerabilities in our server, agent, and cloud solutions in versions that have been commercially released and are currently supported.
- Vulnerabilities in our implementations of third-party technologies as implemented in commercially released versions of our products. In some cases, Absolute leverages third-party technologies in limited ways to implement our solutions. Vulnerabilities in our implementation of these technologies are in-scope.
- All vulnerabilities in products or product versions that have been commercially released and have reached end of development, sale, or support.
Out of Scope
We are interested in learning about all vulnerabilities, but the following types of vulnerabilities are out of scope for purposes of our security response processes.
- Vulnerabilities in a supported commercial operating system or other elements of the operating environment such as the authentication infrastructure. Our expectation is that users will keep up to date on patches and retire elements of their operating environments that are end-of-life and are no longer being updated or patched by the vendor.
- Vulnerabilities in generic implementations of technologies we implement. In some cases, Absolute leverages third-party technologies in limited ways to implement our solutions. Vulnerabilities in generic implementations of third-party technologies are out of scope unless we determine that the vulnerability exists in our implementation.
- Vulnerabilities that are only exploitable if someone intentionally misconfigures, insecurely configures, or insecurely deploys our products.
- Vulnerabilities in network functions on which a fully integrated Absolute solution relies. An example of this might be a third-party authentication infrastructure vulnerability or an otherwise compromised operating system; vulnerabilities of this nature would be out of scope unless we determine that the vulnerability can be exploited in our implementation.
- Vulnerabilities in pre-release or developer builds such as alpha or beta. Occasionally we provide limited access to pre-release software. While we encourage the reporting of vulnerabilities in pre-release software, vulnerabilities specific to pre-release software are out of scope for the purposes of our security response.
Reporting a vulnerability in Absolute's Secure Access products
The fastest way to notify Absolute of a potential vulnerability in one of our products is to contact our support team and inform them that you believe there is a vulnerability. Information for contacting support can be found on our website at https://www.absolute.com/customers/support/. It is not necessary to have an active support contract to inform us of a vulnerability in our products.
Absolute adheres to the practice of responsible disclosure where the time between reporting a vulnerability and disclosure of that vulnerability in a public forum such as the CVE database allows for the release of a patch, notification of the affected customers, and time for affected customers to deploy the patch. Absolute is pleased to publicly acknowledge the efforts of security analysts who contact us and follow this policy in our notifications and on our web site.
Absolute follows the general classifications of vulnerabilities as described in the Common Vulnerability Scoring System (CVSS version 3.1, https://www.first.org/cvss/). CVSS classifies vulnerabilities into severity tiers by score – None (0.0), Low (0.1 – 3.9), Medium (4.0 – 6.9), High (7.0 – 8.9), and Critical (9.0 – 10.0). In general, defects are resolved in the most current version of Absolute products. Our responses to in-scope vulnerabilities follow these general guidelines.
|Severity||When / How we fix||Letting Customers Know|
|Critical and High||Make fix available for customers in the current version of the product ASAP.||Notification to all current and former customers, update posted to security notification page|
|Medium||Make fix available for customers in the current version of the product as part of the next scheduled maintenance release.||Notification to current customers, update posted to security notification page|
|Low||Make fix available as soon as is practical. These are typically addressed in scheduled feature releases for current versions of the product.||Updates to the KARI (Known and Resolved Issues) page.|
In general, we strive to disclose vulnerabilities to the CVE database within 90 days of confirming that a vulnerability exists and is in scope (see Scope) for a supported product. If we anticipate the creation, test, release, customer notification and adoption cycles will take more than 90 days, we commit to working with security analysts in good faith to protect our users and ensure that vulnerabilities in Absolute products are disclosed and managed in a fair and open manner.
Past reports of vulnerabilities in Absolute's products are listed here.
Bug Bounty Program
Absolute offers a bug bounty for in-scope issues that are reported to us under the precepts of responsible disclosure and following the outline of this policy document. Claims must be accompanied by exploit code and must be made against the current shipping version of a supported product. Multiple methods for exploiting the same underlying issue will count as one issue. Payouts will be issued to the first reporter when the vulnerability is publicly disclosed. Security analysts who report through a third party can recover their bounty from that third party.
Payout amounts are as follows:
|Severity||Expected Payout in USD|
|CVSS Critical||$3,500 – $4,500|
|CVSS High||$2,000 – $3,500|
All aspects of the Absolute Security Disclosure Process and Policy are subject to change without notice at any time. While we strive to acknowledge all submissions, a response is not guaranteed for any specific issue or class of issues. Your use of the information on the policy or materials linked from the policy is at your own risk.
We encourage security researchers to report their findings to us without fear of legal consequences. Absolute Software does not intend to engage in legal action against any researcher who has 1) performed and reported research according to current best practices for conducting and reporting that research and 2) who is adhering to the precepts of responsible disclosure. Security researchers must make good faith efforts to avoid violating any law and avoid any action that could negatively impact the confidentiality, integrity or availability of information and systems of either Absolute Software or its customers.