Home Security Fiery Vulnerability Disclosure Policy

Fiery Vulnerability Disclosure Policy

At Fiery, LLC., we recognize the importance of collecting and disclosing security vulnerabilities in our products.

This Policy outlines our commitment to address security vulnerabilities promptly and effectively, for all our products, to protect our customers from cyber threats.

When a new security vulnerability gets reported or identified internally or externally, it will be handled by the Fiery Product Security team according to this policy.

Fiery, LLC. follows the Common Vulnerability Scoring System (CVSS) as part of our standard process of evaluating reported potential vulnerabilities in our products and services. Vulnerabilities are handled and prioritized following the CVSS risk-based score; Critical, High, Medium, and Low.

Customers are advised to follow the CVSS scores to prioritize a particular vulnerability in their own environments.

Reporting Vulnerabilities

We encourage responsible disclosure of security vulnerabilities in our products. If you discover a potential security vulnerability, we ask that you report it to our security team promptly and responsibly. You can report vulnerabilities using the form at the bottom of this page.

In Scope Vulnerability Information

The Fiery Security Team is willing to be informed about demonstrated vulnerabilities and is committed to protecting Fiery customers. As part of this commitment, we invite security researchers to help protect Fiery products by proactively reporting security vulnerabilities and weaknesses.

Fiery, LLC. Vulnerability Disclosure Policy, applies to the following products and services:

  • Fiery System Software. E.g. FS600/FS600 Pro
  • Fiery Firmware. E.g. Fiery HW platform BIOS/UEFI
  • Fiery Desktop Client applications. E.g. Fiery Command WorkStation
  • Fiery Mobile Apps. E.g. Fiery Go
  • Fiery Cloud applications. E.g. Fiery IQ
  • Fiery Support Tools. E.g. Fiery Installer Builder

Out of Scope Vulnerability Information

We do not accept the reporting of the following vulnerabilities:

  • Windows Operating System vulnerabilities
  • Denial of Service (DOS) vulnerabilities
  • TLS configuration weaknesses (e.g., “weak” cipher suite support)
  • Issues surrounding the verification of email addresses used to create user accounts
  • CSRF (Cross Site Request Forgery) and CRLF (Carriage Return and Line Feed) attacks where the resulting impact is minimum.
  • Social Engineering/Phishing attacks.
  • Security Bugs in third-party websites and applications that integrate with Fiery Products.
  • Network data enumeration techniques (e.g., banner grabbing, existence of publicly available server diagnostic pages).
  • Reports indicating that the Products do not fully align with “best practices”.
  • Automated software scanners output.

Responsible Disclosure

We follow the principles of responsible disclosure. This means that we ask security researchers to:

  • Provide us with reasonable time to investigate and address the reported vulnerability before publicly disclosing it.
  • Refrain from exploiting the vulnerability for any malicious purposes or disclosing it to others until we have had an opportunity to address it.

Vulnerability Assessment

Upon receiving a report of a security vulnerability, our security team will promptly assess the reported issue to determine its severity, potential impact, and likelihood of exploitation.

Mitigation and Remediation

Depending on the severity of the vulnerability, we will take appropriate actions to mitigate and remediate the issue. This may include developing and releasing patches, updates, or workarounds to address the vulnerability. We will strive to provide timely updates to our customers and business partners about the status of the vulnerability and any necessary steps they should take to protect themselves.

We may publish product security, advisories, and notifications on Fiery Communities.

Coordination with Researchers

We value the contributions of security researchers who help us identify and address security vulnerabilities. We will work collaboratively with researchers to verify reported vulnerabilities, develop, and test fixes, and acknowledge their contributions appropriately.

Bug Bounty Program

We do not conduct a bug bounty program. If your findings are newly reported and validated by Fiery, LLC., we will publish a security bulletin and give documented credit within the published security bulletin. Accordingly, please acknowledge that there is no expectation of payment or compensation and that any future right to claim related to the submitted report is waived.

Public Disclosure

Once a security vulnerability has been fully addressed, we will publicly disclose information about the vulnerability, including its nature, impact, and the actions we have taken to mitigate it. We believe in transparency and accountability in our security practices.

Continuous Improvement

We are committed to continuously improving the security of our products. We will regularly review and update our security processes and procedures to adapt to emerging threats and industry best practices.

By adhering to this Security Vulnerability Policy, we aim to maintain the trust and confidence of our customers by demonstrating our commitment to their security and privacy.

Report a potential vulnerability

If you believe you have identified a security vulnerability in a Fiery product, please complete the form below and provide as much information as possible. The Fiery Security Team will investigate all reported vulnerabilities affecting Fiery products and services. Kindly note that the Fiery Security Team does not provide technical support for Fiery products. If you need assistance with something other than reporting a possible security vulnerability, please contact Fiery Technical Support via Fiery Communities.

Policy Update: March 4, 2024

Report a potential vulnerability

Please enable JavaScript in your browser to complete this form.