Fortinet Security Vulnerability Policy
Overview
As a leading vendor in the cybersecurity industry, Fortinet secures the largest enterprise, service provider, and government organizations around the world. As such, it is essential that our products adhere to the highest security assurance standards and are developed with security at the forefront of the products development lifecycle.
At Fortinet, we diligently balance our commitment to the security of our customers and our culture of researcher collaboration and transparency
Scope
Fortinet product security practices cover the following products, services and systems:
- All our products that have not reached End-of-Life (EoL) milestone. These include hardware, software and SaaS products (cloud services) and products delivered by our wholly-owned subsidiaries.
- Fortinet web and mobile applications, cloud services and supporting network infrastructure.
Fortinet Product Security Incident Response Team (PSIRT)
The Fortinet Product Security Incident Response Team (PSIRT) is responsible for maintaining security standards for Fortinet products by training teams in secure coding practice, testing product security, and responding to Fortinet product security incidents. Fortinet PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services. Fortinet defines a security vulnerability as an unintended weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product. Fortinet PSIRT works with Fortinet customers, independent security researchers, consultants, industry organizations, and other vendors to accomplish its PSIRT Mission.
Please report non-product issues related to issues in Fortinet IT infrastructure corporate website or other Fortinet internal systems such as email etc. at CSIRT Contact form
Reporting a Vulnerability
Individuals or organizations that suspect a security issue are strongly encouraged to contact Fortinet. Fortinet welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. The minimal data needed for reporting a security issue is a description of the potential vulnerability.
Please contact the Fortinet Incident Response teams via the web form here by selecting the appropriate vulnerability category. | |
Customers can report vulnerabilities via the FortiCare customer support portal |
Support requests that are received via email are typically acknowledged within 24 business hours. Ongoing status on reported issues will be determined as needed.
Fortinet adheres to the FIRST Traffic Light Protocol (TLP) v.2.0 labeling scheme for sharing of sensitive data when sensitive information is shared with us. Any sensitive non-public information about vulnerabilities is considered highly confidential, and only individuals who have a legitimate need to know and can add value to the remediation process may access this information until notification.
Further communications with the reporter may be via email. The Fortinet PSIRT supports encrypted messages via PGP/GNU Privacy Guard (GPG). The Fortinet PSIRT public key (key ID 0xC7A59F07) is available at PGP Keys page.
Responsible disclosure process
Fortinet recognizes and appreciates the important role played by independent security researchers and our customers in collaborating to keep our product ecosystem secure.
Throughout the investigation process, Fortinet strives to work collaboratively with the incident reporter to confirm the nature of the vulnerability, gather required technical information, prioritize remediation based on the potential severity of the vulnerability assessed using CVSS and other factors. When the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure. If the incident reporter disagrees with the conclusion, the Fortinet PSIRT will make every effort to address those concerns. The resolution of a reported incident may require upgrades to multiple products that are under active support from Fortinet.
During any investigation, the Fortinet PSIRT manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Similarly, we ask incident reporters to:
- Maintain strict confidentiality until complete resolutions are available for customers and have been published on the Fortinet website through the appropriate coordinated disclosure or Fortinet has notified you that the issue has been mitigated. We take the security of our customers and infrastructure very seriously, however some issues may take longer than others to resolve.
- Provide full details of the security issue including steps to reproduce and the details of the system where the tests were conducted and a clearly defined impact.
- Refrain from accessing any non-public data. If a vulnerability provides unintended access to data;
- limit the amount of data you access to the absolute minimum required for effectively demonstrating a Proof of Concept, and
- cease testing and submit a report immediately if you encounter any user data during testing, such as and without limitation, Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
We also request that reporters DO NOT:
- Cause potential or actual damage to Fortinet, systems, or applications.
- Use an exploit to view unauthorized data or to corrupt data.
- Engage in disruptive testing including but not limited to DoS, fuzzing, automated scanning of cloud services, or any action that could impact the confidentiality, integrity, or availability of information and systems.
- Engage in social engineering (e.g. phishing, vishing, smishing) of Fortinet employees or customers.
With the agreement of the incident reporter, Fortinet PSIRT may acknowledge the reporter's contribution during the public disclosure of the vulnerability.
Fortinet works with NIST for issuance of a Common Vulnerabilities and Exposure ID where required and will publish the details of the vulnerability once resolved.
In the event Fortinet becomes aware of a vulnerability that does not affect a Fortinet product, but does involve another vendor's product, Fortinet may report the issue upstream.
Fortinet does not operate a bug bounty program.
Commitment to Product Security and Integrity at Fortinet
Fortinet’s Secure Development Lifecycle Policy is based on the principle of “Secure by Design, Secure by default”. STRIDE based threat modeling is used to identify the potential threats to products and include mitigations against these risks. Robust security testing is employed including tools and techniques such as:
- Static Application Security Testing / Static code analysis built into our build processes (SAST)
- Dynamic application security testing (DAST), vulnerability scanning and fuzzing prior to each release
- SBoM tracking to identify vulnerabilities of open-source software (OSS) and other 3rd party libraries used within the product
- Manual code audit by dedicated security engineers
- Scheduled Internal Penetration Testing
- Scheduled Penetration Testing by independent CREST Certified third parties for all major releases
Vulnerabilities and weaknesses found through these exercises are responded to appropriately and all remediated issues, internal or externally discovered, published via our PSIRT Advisory page.
Threat Risk Assessment and SLAs
Fortinet uses version 3.1 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities in Fortinet products. The CVSS model uses three distinct measurements or scores that include Base, Temporal, and Environmental calculations which Fortinet PSIRT uses to assign a severity level.
Severity | Branches to fix (where applicable) | Advisory |
---|---|---|
Critical CVSS = 9.0 - 10.0 | All supported versions * | Monthly or Out of cycle PSIRT advisory (timing dependent) CVE Published |
High CVSS >= 7.0 - 8.9 | All supported versions * | Monthly PSIRT advisory CVE Published |
Medium CVSS >= 4.0 - 6.9 | Current and prior version | Monthly PSIRT advisory CVE Published |
Low CVSS >= 2.0 - 3.9 | Fixed in latest supported version | Monthly PSIRT advisory CVE Published |
Informational CVSS > 0.0 - 1.9 | Fixed in next major version | Release notes (if applicable). |
Fortinet reserves the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.
If there is a security issue with a third-party software component that is used in a Fortinet product, Fortinet typically uses the CVSS score provided by the third-party, however, in some cases, Fortinet may adjust the CVSS score to reflect the usage of the component and/or impact to the Fortinet product.
More information about CVSS scoring can be found at http://www.first.org/cvss/
Communications Plan
Once the minimum requirements are met for remediating a vulnerability in the required releases, Fortinet will publicly disclose via the Fortinet Security Advisory Process:
- A vulnerability advisory is published on the second Tuesday of the month and a Monthly Advisory notice sent.
- Critical vulnerabilities may be published via an out of cycle PSIRT advisory as necessary.
- If Fortinet PSIRT has observed active exploitation of a vulnerability that could lead to increased risk for Fortinet customers, Fortinet may accelerate the publication of a security announcement describing the vulnerability via an Out of Cycle Advisory that may or may not include a complete set of patches or workarounds
- Fortinet reserves the right to deviate from this policy on an exceptional basis.
There are several ways to stay connected and receive the latest security vulnerability information from Fortinet. Review the following table, and subsequent summaries, to determine the appropriate option.
Websitehttps://fortiguard.fortinet.com/psirt |
Register via Support.fortinet.com |
RSS Feedhttps://fortiguard.fortinet.com/rss/ir.xml |
Safe Harbor
We will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this stated Policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party that is not Fortinet, that third-party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities. Please refer to that third-party's bug bounty policy, if they have one, or contact the third-party either directly or through a legal representative before initiating any testing on that third-party or their services. If legal action is initiated by a third-party against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy. While we consider submitted reports to be confidential documents, please be aware that a court could, despite our objections, order us to share report-related information with a third-party. For clarity, this policy and any actions taken hereunder are not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third-party action based on your actions.
You are expected, as always, to comply with all applicable laws and regulations.
Please contact us or submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision.
Public Relations or Press Queries
For any media questions regarding a vulnerability in a Fortinet product, please contact pr@fortinet.com.