Fortinet Corporate Security Incident Response Team (CSIRT) Contact Form
As an industry leader in network security, the security of Fortinet’s own IT infrastructure is essential to our success. The Fortinet Corporate Security Incident Response Team (CSIRT) is responsible for maintaining high standards for the security of our network, business applications and data. The CISRT team works diligently to respond to security issues in Fortinet network infrastructure, web and mobile applications. Vulnerabilities in Fortinet-cloud services, network infrastructure and applications are part of Fortinet CSIRT scope. The following vulnerability categories are considered out of scope of CSIRT Responsible Disclosure Program (unless a proven high impact is demonstrated) and will not be eligible for credit on our researcher list:
- Theoretical vulnerabilities
- Reports that have not been validated from automated web vulnerability scanners and SSL/TLS scanners or port scanners.
- Low severity, low impact security issues that can be detected by automated scanners.
- Informational disclosure of non-sensitive data
- Low impact session management issues
- Self XSS (user defined payload)
- Network-level Denial of Service (DoS/DDoS) vulnerabilities.
- Any kind of physical intrusion or social engineering attempts.
- Any low impact issues related to session management (i.e. concurrent sessions, session expiration, session refresh on password reset/change, password strength, brute force, rate log out, etc.)
- Missing X-Frame-Options header (Clickjacking/UI Redressing).
- User, Incomplete or missing SPF/DMARC/DKIM records
- Account or id enumeration via brute-force
- Client-side application/browser autocomplete or saved credentials
- Verbose error pages without proof of exploitability or obtaining sensitive information
- Lack of SSL/TLS or SSL/TLS best practices that do not contain a fully functional proof of concept.
- SSL/TLS mixed content issues, (unless it leaks sensitive information like cookies, credentials)
- Cross-site Request Forgery (CSRF) with low security impact (logout CSRF, etc.)
- Missing Cookie flags or Missing/Enabled HTTP Headers/Methods (unless it leads directly to a security vulnerability)
- Low impact Stack trace disclosures, Information disclosures and banner grabbing issues (Software and Server version disclosure etc.)
- Exposed login pages
- Vulnerabilities affecting only outdated user agents or application versions
- Directory listings (unless it reveals sensitive and useful information)
- Self-XSS
- Unchained open redirects
- IIS Tilde File and Directory Disclosure (unless it reveals sensitive and useful information)
- Low impact Content Spoofing issues
- UI and UX bugs (including spelling mistakes)
- Open redirect using Host header