Product Security - Report an Issue

 

Achieving trust through rapid response & transparency

Forcepoint's Product Security Team (PST) is a global team that coordinates security testing, vulnerability management, and vulnerability communication for products created and services provided by Forcepoint, including those that are now end-of-life (EOL). PST receives reports of vulnerabilities via email to PSIRT@forcepoint.com using our PGP key (https://www.forcepoint.com/sites/default/files/keys/0x756d3b2b.asc). 

Disclosure and Embargo Policy

In Scope
PST handles the security of Forcepoint products and services and whether they themselves are vulnerable to threats.

Out of Scope

Corporate Infrastructure

Security concerns regarding the Forcepoint.com website and email domain should be directed to technical support: https://support.forcepoint.com/contactsupport.

Efficacy

Questions regarding the efficacy or ability of Forcepoint products and services to detect/protect/block against threats should be directed to technical support: https://support.forcepoint.com/contactsupport.

Website Categorization

You can suggest a new categorization via https://csi.forcepoint.com/ after you analyze your website. The Forcepoint Labs team will then review. Alternatively, you may open a support case by contacting technical support: https://support.forcepoint.com/contactsupport.

 

Vulnerabilities

Forcepoint defines a security vulnerability as an unintended error or weakness in the program or in its default configuration that enables or risks compromise of confidentiality, integrity, or availability of the product or service; or a significant bypass of the intended security offering.

Reporting

All vulnerability submissions must include the following information:

  • Salesforce Ticket
  • Company/organization name
  • Product type(s) (i.e. AP-WEB, AP-EMAIL, DLP, etc.)
  • Product version(s) (i.e. 8.3.0, 8.4.0, 8.5.0, etc.)
  • Deployment type(s) (i.e. v10k appliance, v5k appliance, software, etc.)
  • Listing of applied/missing hotfixes
  • Interface listing per IP/host
  • Complete vulnerability report that indicates the mentioned vulnerabilities and includes information needed to reproduce what was observed

A vulnerability reporter (reporter) can expect a confirmation of receipt within one business day. Once a report is received, PST will begin research to confirm the existence of the vulnerability, and if verified, the versions affected. During this process PST may reach out to the reporter for additional information, e.g. a proof of concept exploit, as needed. Throughout this process PST will share any relevant status updates with the reporter as they develop.

Once this analysis is complete Forcepoint will decide, based on factors including CVSSv3.1 score, the timeline for producing an update or workaround. We strive to resolve vulnerabilities with a CVSSv3.1 score of 4.0 or higher within 90 days in the absence of complexity and other factors. Whether to address vulnerabilities with a score below CVSSv3.1 4.0 will be decided on a case-by-case basis.

CVE Assignment

Once a decision has been made to address a vulnerability, a CVE ID will be selected from our allocated block and shared with the reporter.

The CVE ID will become public once a Knowledge Base Article (KBA) on Forcepoint Support (https://support.forcepoint.com/) addressing the vulnerability is published. Once we publish a KBA we will update the Program Root CNA--MITRE Corporation--with the requisite details for their distribution.

Forcepoint credits reporters in KBAs, if they:

  1. Give consent for such publicity
  2. Do not publicly disclose information about the vulnerability before the KBA is published
  3. Do not publicly disclose information about exploitation of the vulnerability until a period of 90 days has passed since the publishing of the KBA

Reporters may provide a list of names of individuals and/or organizations to be credited.