Responsible Disclosure Process

As part of Fortinet’s business, Fortinet performs security research on a variety of non-Fortinet products and services with the aim to identify potential security threats. Fortinet’s research team is part of FortiGuard Labs, which is a security service that powers Fortinet’s solutions. The security research achievements help to protect customers, companies, and the general public.

Fortinet is committed to a responsible disclosure process that allows the impacted companies the opportunity to fix the issue, while also increasing consumer protection by blocking exploits against unpatched security vulnerabilities.

If Fortinet identifies a verified vulnerability that is not yet public originating from a particular company, then Fortinet will notify the impacted company. Fortinet and company will work together in good faith to resolve the issue, which typically involves the company patching the vulnerability and Fortinet making the vulnerability known to the public 90 days after Fortinet first notified the company. If so desired by the company, Fortinet may agree to enter into an agreement that outlines the process for notifying and fixing security vulnerabilities moving forward.

If a company fails to respond to Fortinet after multiple notifications, refuses to cooperate or patch the vulnerability, or the sides are otherwise unable to resolve the situation, then Fortinet reserves the right to publish the security vulnerability 30 days after first notifying the company.

Fortinet will either make a limited or full disclosure of the vulnerability. A limited disclosure may include: (a) the name of the affected company and product, (b) the type of threat exposed through the vulnerability, (c) any recommended actions, and (d) technical details but not enough to reproduce the vulnerability; while a full disclosure will include more detail such as what caused the issue or how to reproduce the vulnerability. It is within Fortinet’s sole discretion how much detail to release, but a full disclosure typically only occurs where the vulnerability was patched or is actively being exploited, so that appropriate defense measures may be put in place by you. Fortinet publishes the vulnerability advisory on its FortiGuard website, but may also make the vulnerability known via other mediums, such as through blogs, conferences, media outlets, press releases, or research papers. Fortinet will use reasonable efforts to communicate schedule of planned mediums including conferences with the appropriate stakeholders within the affected company.

If you have any questions or comments, please contact secresearch@fortinet.com. If you would like your communication to be encrypted, please use the PGP Key.