Fortinet Security Vulnerability Policy

Overview

As a leading vendor in the cyber security space, Fortinet secures the largest enterprise, service provider, and government organizations around the world.  As such, it is essential that our products adhere to the highest security assurance standards and are developed with security at the forefront of the products development lifecycle.

Fortinet Product Security Assurance Policy is based on recognized industry standards including ISO/IEC 29147:2018 for Vulnerability Disclosure, ISO_IEC_30111_2019 for Vulnerability Handling Processes, and FIRST (Forum of Incident Response and Security Teams) for best practice recommendations.

Fortinet Product Security Incident Response Team (PSIRT) Mission

The Fortinet Product Security Incident Response Team (PSIRT) is responsible for maintaining security standards for Fortinet products by training teams in secure coding practice, testing product security, and responding to Fortinet product security incidents. Fortinet PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  Fortinet defines a security vulnerability as an unintended weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product.   Fortinet PSIRT works with Fortinet customers, independent security researchers, consultants, industry organizations, and other vendors to accomplish its PSIRT Mission.

Commitment to Product Security and Integrity at Fortinet

Fortinet product development practices specifically prohibit any intentional behaviors or product features that are designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions.

Vulnerabilities in Fortinet PSIRT scope include any design or implementation issue that substantially affects the confidentiality or integrity of the product and/or impacts user security is likely to be in scope of PSIRT. Common examples include:

  • Undisclosed device access methods or "backdoors"
  • Hardcoded or undocumented account credentials
  • Undocumented traffic diversion
  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Bypass of security feature (Bypass of AV/IPS engine)

Fortinet considers such product behaviors to be serious vulnerabilities.  Fortinet will address any issues of these nature with the highest priority and encourages all parties to report suspected vulnerabilities to the Fortinet PSIRT for immediate investigation.  Internal and external reports of these vulnerabilities will be managed and disclosed under the terms of the Fortinet Security Vulnerability Policy.

Any Fortinet-owned internal web service is not intended to be in PSIRT scope. This includes virtually all the content in the following domains:

  • *.fortinet.com
  • *.forticloud.com

These issues should be directed to the InfoSec team instead (global-infosec@fortinet.com).

Reporting a Suspected Security Vulnerability

Individuals or organizations that are experiencing a product security issue are strongly encouraged to contact the Fortinet PSIRT.  Fortinet welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. The minimal data needed for reporting a security issue is a description of the potential vulnerability.

Please contact the Fortinet PSIRT via psirt@fortinet.com

Support requests that are received via email are typically acknowledged within 24 business hours. Ongoing status on reported issues will be determined as needed.

Fortinet encourages the encryption of sensitive information that is sent to Fortinet in email messages.  The Fortinet PSIRT supports encrypted messages via PGP/GNU Privacy Guard (GPG). The Fortinet PSIRT public key (key ID 0xC7A59F07) is available at https://www.fortiguard.com/pgpkey.

Responsible disclosure process

Fortinet recognizes and appreciates the important role played by independent security researchers and our customers in collaborating to keep our product ecosystem secure.  We request that vulnerability reporters follow the processes below for reporting a vulnerability.

When Fortinet PSIRT receives a security vulnerability report, it will be investigated as quickly as possible to identify the risk and prioritize based on the potential severity of the vulnerability and other factors.  Ultimately, the resolution of a reported incident may require upgrades to products that are under active support from Fortinet.

The following graphic illustrates the Fortinet PSIRT process at a high level and provides an overview of the vulnerability lifecycle, disclosure, and resolution process.

psirt_process

Throughout the investigative process, the Fortinet PSIRT strives to work collaboratively with the source of the report (incident reporter) to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action.  When the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure.  If the incident reporter disagrees with the conclusion, the Fortinet PSIRT will make every effort to address those concerns.

During any investigation, the Fortinet PSIRT manages all sensitive information on a highly confidential basis.  Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution.  Similarly, the Fortinet PSIRT asks incident reporters to:

  • Maintain strict confidentiality until complete resolutions are available for customers and have been published by the Fortinet PSIRT on the Fortinet website through the appropriate coordinated disclosure.  We take the security of our customers very seriously, however some vulnerabilities which require coordination with front end and backend systems may take longer than others to resolve.
  • Provide full details of the security issue including steps to reproduce and the details of the system where the tests were conducted and a clearly defined impact.

We also request that reporters DO NOT:

  • Cause potential or actual damage to Fortinet, systems, or applications.
  • Use an exploit to view unauthorized data or corrupt data.
  • Engage in disruptive testing including but not limited to DoS, fuzzing, automated scanning of cloud services, or any action that could impact the confidentiality, integrity, or availability of information and systems.
  • Engage in social engineering (e.g. phishing, vishing, smishing)  of Fortinet employees or customers.

With the agreement of the incident reporter, the Fortinet PSIRT may acknowledge the reporter's contribution during the public disclosure of the vulnerability.

Fortinet PSIRT works with MITRE for issuance of a Common Vulnerabilities and Exposure ID where required and will publish the details of the vulnerability once resolved.  Fortinet will work with third party organizations including, but not limited to CERT/CC for coordinated industry disclosure for vulnerabilities reported to Fortinet that may impact multiple vendors (for example, a generic protocol issue).  In those situations, the Fortinet PSIRT either will assist the incident reporter in contacting the coordination center or may do so on that individual's behalf.

The Fortinet PSIRT will coordinate with the incident reporter to determine the frequency of status updates of the incident and documentation updates.

In the event Fortinet becomes aware of a vulnerability that does not affect a Fortinet product, but does involve another vendor's product, Fortinet may report the issue upstream.

Fortinet does not have a bug bounty program.

Threat Risk Assessment and SLAs

Fortinet categorizes threats according to the Mitre Common Weakness Enumeration (CWE) language.

Fortinet uses version 3.1 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities in Fortinet products. The CVSS model uses three distinct measurements or scores that include Base, Temporal, and Environmental calculations which the Fortinet PSIRT uses to assign a severity level.

Severity Branches to fix (where applicable) Fix Information
Critical
CVSS = 9.0 - 10.0
All supported versions Out of cycle PSIRT advisory.
CVE Published
High
CVSS >= 7.0 - 8.9
All supported versions Monthly PSIRT advisory
CVE Published
Medium
CVSS >= 4.0 - 6.9
Current and prior version Monthly PSIRT advisory
CVE Published
Low
CVSS >= 2.0 - 3.9
Fixed in latest supported version Monthly PSIRT advisory
CVE Published
Informational
CVSS > 0.0 - 1.9
Fixed in next major version Release notes (if applicable).

Issues with an informational vulnerability category are typically published as a bug in the release notes and not as part of a PSIRT Security Advisory.

Fortinet reserves the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.

If there is a security issue with a third-party software component that is used in a Fortinet product, Fortinet typically uses the CVSS score provided by the third party. In some cases, Fortinet may adjust the CVSS score to reflect the usage of the component and/or impact to the Fortinet product.

More information about CVSS scoring can be found at http://www.first.org/cvss/

Communications Plan

If one or more of the following conditions exist, Fortinet will publicly disclose Fortinet Security Advisories:

  • The Fortinet PSIRT has completed the incident response process and determined that enough software patches or workarounds exist to address the vulnerability, Full/public disclosure of the vulnerability has or is going to been made.
  • The Fortinet PSIRT has observed active exploitation of a vulnerability that could lead to increased risk for Fortinet customers. For this condition, Fortinet will accelerate the publication of a security announcement describing the vulnerability that may or may not include a complete set of patches or workarounds.
  • There is the potential for increased public awareness of a vulnerability affecting Fortinet products that could lead to increased risk for Fortinet customers. For this condition, Fortinet will accelerate the publication of a security announcement describing the vulnerability that may or may not include a complete set of patches or workarounds.
  • Fortinet reserves the right to deviate from this policy on an exception basis to ensure access to Fortinet.com for software patch availability.

There are several ways to stay connected and receive the latest security vulnerability information from Fortinet. Review the following table, and subsequent summaries, to determine the appropriate option.

Source Description
Website https://fortiguard.com/psirt Website listing vulnerabilities
RSS https://fortiguard.com/rss/ir.xml Fortinet security vulnerability information is also available via RSS feeds from https://fortiguard.com/rss-feeds
These feeds are free and do not require an active Fortinet.com support registration.

Public Relations or Press Queries

For any questions regarding a vulnerability in a Fortinet product please contact pr@fortinet.com.