CYBERARK LABS

Innovation From the Cutting Edge of Cyber Security Research.

COORDINATED DISCLOSURE POLICY

As part of the innovative research performed by CyberArk Labs, we occasionally identify security vulnerabilities in third-party products or software.

In those cases, CyberArk Labs works to notify the relevant party in charge of the development or sale of the software/product/service (“Vendor”), so that they can remediate these vulnerabilities before they are publicly disclosed. Consistent with coordinated disclosure best practices, we believe that it is important that Vendors have this opportunity to enhance their products’ security and the security of their customers. At the same time, we also believe it is important to publicly disclose information regarding security vulnerabilities, both to help enhance overall security awareness, and to facilitate understanding of particular security risks.

CyberArk Labs will make reasonable efforts to provide the relevant Vendors with the necessary information required to effectively address an identified vulnerability within a reasonable timeframe prior to public disclosure.

This policy outlines the process followed by CyberArk Labs to responsibly disclose security vulnerabilities that it identifies:

  1. CyberArk Labs will make reasonable efforts to contact the potentially impacted Vendor.
  2. CyberArk Labs will disclose relevant and available information obtained regarding a security vulnerability to the relevant Vendor.
  3. If the Vendor does not respond to such outreach, CyberArk Labs reserves the right to publicly disclose the identified vulnerability no less than two weeks (14 days) after the initial attempted contact.
  4. If the Vendor responds to outreach from CyberArk Labs within the two-week period outlined above, CyberArk Labs will delay public disclosure for up to three months (90 days) from the initial attempted contact, to facilitate the Vendor’s development of a mitigation to the identified vulnerability. Following such period, CyberArk Labs may publicly disclose the identified vulnerability. CyberArk Labs will consider reasonable requests and extenuating circumstances (such as an active exploitation) in delaying public disclosure.
  5. Notwithstanding the foregoing, a public disclosure will be released at the discretion of CyberArk Labs under the following circumstances:
    1. The Vendor provides official confirmation that the vulnerability has been remediated, in which case CyberArk will allow additional 30 days after such date, intended for user patch adoption;
    2. The above deadlines expire, and the Vendor has either failed to respond, ceased responding to CyberArk Labs communications, or is unable to provide a reasonable explanation for why the identified vulnerability has not been remediated; or
    3. The Vendor is unable or unwilling to remediate the identified vulnerability.
  6. Public disclosures released by CyberArk Labs will not incorporate information that could be used to exploit a vulnerability identified by CyberArk, without a fix or mitigation technique. All public disclosures may also be redacted or otherwise obfuscated at our discretion to prevent exploitation of the identified vulnerability.
  7. CyberArk Labs will publicly release security vulnerability disclosures on our official CyberArk Labs website.

This policy does not in any way limit or prevent CyberArk from releasing product or solution enhancements or improvements at any time in order to protect our customers.