Vulnerability Disclosure Policy

Specops Software is committed to resolving security vulnerabilities in our products and services. We take all necessary steps to minimize customer risk, provide timely information, and deliver vulnerability fixes and mitigations required to address security threats.

Specops Software follows the Responsible Disclosure guidelines as laid out in ISO 29147 for any externally reported vulnerabilities or security flaws. These standards facilitate open communication between security researchers and vendors, clearly define responsibilities between the involved parties, and protect all parties from exploitation whenever possible.

Reporting a vulnerability

If you believe you have discovered a vulnerability in an Specops Software product, service, or infrastructure that has not been resolved, please email a high-level description of your findings to security@specopssoft.com. Please do not take advantage of the vulnerability or reveal the problem to others until it has been resolved and we mutually agree on public disclosure of the issue.

To expedite verification and handling of the finding, please provide the following information in the initial communication:

  • Your preferred contact information
  • Product name, version number, IP address, or the URL of the affected system
  • Date the vulnerability was observed
  • Description of the vulnerability
  • Instructions to duplicate the vulnerability

Please note that we do not permit the following types of security research:

  • Actions that may negatively affect Specops Software products, or its users (Spam, Denial of Service, Brute Force attacks, etc.)
  • Accessing any data that does not belong to you
  • Accessing or attempting to access any internal systems that belong to Specops Software
  • Corrupting or otherwise damaging any data that does not belong to you
  • Social engineering
  • Violating any laws or breaching any agreements in order to discover vulnerabilities

Mitigation and remediation

If the report is confirmed valid, Specops Software will move forward with providing remediation or mitigation. Specops Software will keep the reporter up-to-date on progress until the issue has been fully addressed to the satisfaction of all parties. Specops Software will not respond if the report is previously known or confirmed invalid.

Specops Software asks that any vulnerabilities are reported in accordance with the policies of Coordinated Vulnerability Disclosure (CVD) and are not reported or revealed publicly until remediated or sufficient time has elapsed in accordance with CVD. We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

What we promise:

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date,
  • If you have followed the instructions above, we will not take any legal action against you regarding the report,
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
  • We will keep you informed of the progress towards resolving the problem,
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).

Reward

Reward decisions are up to the discretion of Specops Software, but are generally based on severity per the Common Vulnerability Scoring Standard (CVSS).