Vulnerability Disclosure

Definition

Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. This vulnerability disclosure program does not provide monetary rewards for bug submissions.

Vulnerability disclosure at Specops Software

Specops Software is committed to resolving security vulnerabilities in our products and services. We take all necessary steps to minimize customer risk, provide timely information, and deliver vulnerability fixes and mitigations required to address security threats.

Specops Software follows the Responsible Disclosure guidelines as laid out in ISO 29147 for any externally reported vulnerabilities or security flaws. These standards facilitate open communication between security researchers and vendors, clearly define responsibilities between the involved parties, and protect all parties from exploitation whenever possible.

Reporting a vulnerability

If you believe you have discovered a vulnerability in a Specops Software product, service, or infrastructure that has not been resolved, please contact us using the form below.

To expedite verification and handling of the finding, please provide the following information in the initial communication or the helpdesk ticket:

  • Your preferred contact information
  • Product name and version number, if applicable
  • Date the vulnerability was observed
  • Description of the vulnerability
  • Instructions to duplicate the vulnerability

Specops does not permit the following types of security research:

  • Actions that may negatively affect Specops, the Specops platform, or its users (Spam, Denial of Service, Brute Force attacks)
  • Accessing any data that does not belong to you
  • Accessing or attempting to access any Specops internal systems
  • Corrupting or otherwise damaging any data that does not belong to you
  • Social engineering
  • Violating any laws or breaching any agreements in order to discover vulnerabilities

Reward:

At this time, Specops Software does not provide any compensation, monetary or public recognition for any vulnerabilities submitted by independent researchers or customers. 

Mitigation and remediation

If the report is confirmed valid, Specops Software will move forward with providing remediation or mitigation. Specops Software will keep the reporter up-to-date on progress until the issue has been fully addressed to the satisfaction of all parties.

Specops Software asks that any vulnerabilities are reported in accordance with the policies of Coordinated Vulnerability Disclosure (CVD) and are not reported or revealed publicly until remediated or sufficient time has elapsed in accordance with CVD.

References

https://www.iso.org/standard/72311.html
https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf


Submit a vulnerability

This vulnerability disclosure program does not provide monetary rewards for bug submissions.