Get a Break from the Chaos of RSA and Meet with Forcepoint at the St. Regis.


Forcepoint Product Security Vulnerability Notice and Mitigation Policy

Forcepoint believes the security of our products is of paramount importance in the development of security solutions. As a result, product security findings are considered high-priority issues and are individually reviewed and prioritized for resolution above product enhancement or feature requests.

The Forcepoint Product Security Incident Response Team (PSIRT) goal is to minimize customers’ risk associated with security vulnerabilities by providing timely information, guidance and remediation of vulnerabilities in Forcepoint products.

Forcepoint PSIRT is a team that manages the receipt, investigation, internal coordination, remediation and disclosure of security vulnerability information related to Forcepoint products and responsible for coordinating the response and disclosure for all internally and externally identified Forcepoint product vulnerabilities.

Forcepoint Product Security Vulnerability Notice and Mitigation Policy describes the steps Forcepoint follows when responding to and mitigating newly discovered security vulnerabilities or information of active exploitation of a security flaw or weakness.

Forcepoint calculates the full CVSS score (CVSS Base + Temporal + Environmental) using CVSS v3.1 to include how the vulnerable code is used in Forcepoint products, solutions and platforms, what the potential attack vectors are, what the potential impact is, mitigating factors and which mitigation controls can be deployed.

This CVSS score drives the expected prioritization for product security fixes as defined in the Operational Level table (Table 1).

Forcepoint will strive to meet the notification and mitigation times noted below under normal operating conditions. These times may be impacted by extraordinary factors such as code complexity, operational or product impact, or availability of third party components. Forcepoint will exercise commercially reasonable efforts to notify and mitigate the impact of identified vulnerabilities in accordance with the table below.

Table 1

CVSS Severity Rating CVSS Score Time to Notify Time to Mitigate
Critical 9.0–10.0 5 days 10 days
High 7.0–8.9 5 days 45 days
Medium 4.0 –6.9 Not required 90 days or next major release
Low 0.1–3.9 Not required 6 months or next major release
None 0.0 Not required Not required

Depending on the product, Forcepoint may deliver these fixes as security advisories, knowledge base updates, software updates and hotfixes, or directly into the product.