Fiery Vulnerability Disclosure Policy
This Policy outlines our commitment to address security vulnerabilities promptly and effectively, for all our products, to protect our customers from cyber threats.
When a new security vulnerability gets reported or identified internally or externally, it will be handled by the Fiery Product Security team according to this policy.
We follow the Common Vulnerability Scoring System (CVSS) as part of our standard process of evaluating reported potential vulnerabilities in our products and services. Vulnerabilities are handled and prioritized following the CVSS risk-based score; Critical, High, Medium, and Low.
Customers are advised to follow the CVSS scores to prioritize a particular vulnerability in their own environments.
Reporting Vulnerabilities
We encourage responsible disclosure of security vulnerabilities in our products. If you are a Security Researcher and discover a potential security vulnerability in any Fiery product, we ask that you report it to our security team promptly and responsibly using the form at the bottom of this page.
In Scope Vulnerability Information
The Fiery Security Team is willing to be informed about demonstrated vulnerabilities and is committed to protecting Fiery customers. As part of this commitment, we invite security researchers to help protect Fiery products by proactively reporting security vulnerabilities and weaknesses.
This Vulnerability Disclosure Policy, applies to the following products and services:
- Fiery System Software. E.g. FS600/FS600 Pro
- Fiery Firmware. E.g. Fiery HW platform BIOS/UEFI
- Fiery Desktop Client applications. E.g. Fiery Command WorkStation
- Fiery Mobile Apps. E.g. Fiery Go
- Fiery Cloud applications. E.g. Fiery IQ
- Fiery Support Tools. E.g. Fiery Installer Builder
Out of Scope Vulnerability Information
We do not accept the reporting of the following vulnerabilities:
- Windows Operating System vulnerabilities
- Denial of Service (DOS) vulnerabilities
- TLS configuration weaknesses (e.g., “weak” cipher suite support)
- Issues surrounding the verification of email addresses used to create user accounts
- CSRF (Cross Site Request Forgery) and CRLF (Carriage Return and Line Feed) attacks where the resulting impact is minimum.
- Social Engineering/Phishing attacks.
- Security Bugs in third-party websites and applications that integrate with Fiery Products.
- Network data enumeration techniques (e.g., banner grabbing, existence of publicly available server diagnostic pages).
- Reports indicating that the Products do not fully align with “best practices”.
- Automated software scanners output.
Responsible Disclosure
We follow the principles of responsible disclosure. This means that we ask security researchers to:
- Provide us with reasonable time to investigate and address the reported vulnerability before publicly disclosing it.
- Refrain from exploiting the vulnerability for any malicious purposes or disclosing it to others until we have had an opportunity to address it.
Vulnerability Assessment
Upon receiving a report of a security vulnerability, our security team will promptly assess the reported issue to determine its severity, potential impact, and likelihood of exploitation.
Mitigation and Remediation
Depending on the severity of the vulnerability, we will take appropriate actions to mitigate and remediate the issue. This may include developing and releasing patches, updates, or workarounds to address the vulnerability. We will strive to provide timely updates to our customers and business partners about the status of the vulnerability and any necessary steps they should take to protect themselves.
We may publish product security, advisories, and notifications on Fiery Communities.
Coordination with Researchers
We value the contributions of security researchers who help us identify and address security vulnerabilities. We will work collaboratively with researchers to verify reported vulnerabilities, develop, and test fixes, and acknowledge their contributions appropriately.
Bug Bounty Program
We do not conduct a bug bounty program. If your findings are newly reported and validated by our Security Team, we will publish a security bulletin and give documented credit within the published security bulletin. Accordingly, please acknowledge that there is no expectation of payment or compensation and that any future right to claim related to the submitted report is waived.
Public Disclosure
Once a security vulnerability has been fully addressed, we will publicly disclose information about the vulnerability, including its nature, impact, and the actions we have taken to mitigate it. We believe in transparency and accountability in our security practices.
Continuous Improvement
We are committed to continuously improving the security of our products. We will regularly review and update our security processes and procedures to adapt to emerging threats and industry best practices.
By adhering to this Security Vulnerability Policy, we aim to maintain the trust and confidence of our customers by demonstrating our commitment to their security and privacy.
Report a potential vulnerability
If you are Security Researcher and believe you have identified a security vulnerability in a Fiery product; please complete the form below and provide as much information as possible. The Fiery Security Team will investigate all reported vulnerabilities affecting Fiery products and services in a timely manner. If possible, please submit your report in English. Fiery responses will be written in English.
Kindly note that the Fiery Security Team does not provide technical support for Fiery products. Any reports submitted which are not related to potential security vulnerabilities or outside of the scope of this policy, will be forwarded to the appropriate organization within Fiery. Note that forwarding a report will cause any response to be delayed. If you are a Fiery Partner, Authorized Dealer or end customer, and need immediate assistance with something other than reporting a possible security vulnerability as described in this policy; please contact Fiery Technical Support using your current support channels or via Fiery Communities.
Policy Update: September 4, 2024