1. Introduction

Forti5 Technologies is committed to addressing and reporting security issues through a coordinated and constructive approach designed to provide the greatest protection for Forti5 Technologies customers, partners, staff and all Internet users. This policy applies to vulnerabilities discovered anywhere by Forti5 Technologies staff and by others in Forti5 Technologies’ services.

  1. Reporting security issues

If you believe you have discovered a vulnerability in a Forti5 Technologies service or have a security incident to report, please fill out this contact form: https://www.forti5.tech/contact-us

We appreciate the use of the Common Vulnerability Scoring System: https://www.first.org/cvss/calculator/3.1.

Once we have received a vulnerability report, Forti5 Technologies takes a series of steps to address the issue:

  • Forti5 Technologies requests that the reporter keep any communication regarding the vulnerability confidential.
  • Forti5 Technologies investigates and verifies the vulnerability.
  • Forti5 Technologies addresses the vulnerability and releases an update or patch within 90 days. If, for some reason, this cannot be done within this timeframe or at all, Forti5 Technologies will provide information on recommended mitigations.
  • Forti5 Technologies publicly announces the vulnerability in the release notes of the update. Forti5 Technologies may also issue additional public announcements, for example, via social media.
  • Release notes (and blog posts when issued) include a reference to the person/s who reported the vulnerability, unless the reporter(s) would prefer to stay anonymous.

Forti5 Technologies will endeavour to keep the reporter apprised of every step in this process as it occurs. We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our services and better protect our customers. Thank you for working with us through the above process.

  1. Security issues found by Forti5 Technologies

Once we have found a vulnerability in another vendor’s products, Forti5 Technologies takes a series of steps to address the issue:

  • Forti5 Technologies will convene its vulnerability analysis team.  This team, led by the Head of Cyber Security, is solely responsible for determining the severity of the vulnerability and managing the disclosure process.
  • Forti5 Technologies will keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
  • Forti5 Technologies will attempt to contact the appropriate product vendor by email and telephone.
  • Forti5 Technologies will provide the vulnerability details to the vendor.

Forti5 Technologies will prepare and publish an advisory detailing the vulnerability at least 90 days after initial attempts at disclosure at stage 2 above, barring extenuating circumstances. This advisory will be made available to the general public via Forti5 Technologies’s social media.