Details

Let’s Tailor Your Privacy Experience

Privacy is important to us. To provide you with the best experience, please select the region that applies to you.

Europe

Americas

Asia Pacific

Other

All / Brand,Awareness

Product Security - Report an Issue

Achieving trust through rapid response & transparency

Forcepoint's Product Security Team (PST) is a global team that coordinates security testing, vulnerability management, and vulnerability communication for products created and services provided by Forcepoint, including those that are now end-of-life (EOL). PST receives reports of vulnerabilities via email to [email protected] using our PGP key (https://www.forcepoint.com/sites/default/files/keys/0x756d3b2b.asc).

Disclosure and Embargo Policy

In Scope PST handles the security of Forcepoint products and services and whether they themselves are vulnerable to threats.

Out of Scope Corporate Infrastructure Security concerns regarding the Forcepoint.com website and email domain should be directed to technical support: https://support.forcepoint.com/contactsupport.

Efficacy Questions regarding the efficacy or ability of Forcepoint products and services to detect/protect/block against threats should be directed to technical support: https://support.forcepoint.com/contactsupport.

Website Categorization You can suggest a new categorization via https://csi.forcepoint.com/ after you analyze your website. The Forcepoint Labs team will then review. Alternatively, you may open a support case by contacting technical support: https://support.forcepoint.com/contactsupport.

Vulnerabilities Forcepoint defines a security vulnerability as an unintended error or weakness in the program or in its default configuration that enables or risks compromise of confidentiality, integrity, or availability of the product or service; or a significant bypass of the intended security offering.

Reporting All vulnerability submissions must include the following information:

Salesforce Ticket
Company/organization name
Product type(s) (i.e. AP-WEB, AP-EMAIL, DLP, etc.)
Product version(s) (i.e. 8.3.0, 8.4.0, 8.5.0, etc.)
Deployment type(s) (i.e. v10k appliance, v5k appliance, software, etc.)
Listing of applied/missing hotfixes
Interface listing per IP/host
Complete vulnerability report that indicates the mentioned vulnerabilities and includes information needed to reproduce what was observedA vulnerability reporter (reporter) can expect a confirmation of receipt within one business day. Once a report is received, PST will begin research to confirm the existence of the vulnerability, and if verified, the versions affected. During this process PST may reach out to the reporter for additional information, e.g. a proof of concept exploit, as needed. Throughout this process PST will share any relevant status updates with the reporter as they develop.

Once this analysis is complete Forcepoint will decide, based on factors including CVSSv3.1 score, the timeline for producing an update or workaround. We strive to resolve vulnerabilities with a CVSSv3.1 score of 4.0 or higher within 90 days in the absence of complexity and other factors. Whether to address vulnerabilities with a score below CVSSv3.1 4.0 will be decided on a case-by-case basis.

CVE Assignment Once a decision has been made to address a vulnerability, a CVE ID will be selected from our allocated block and shared with the reporter.

The CVE ID will become public once a Knowledge Base Article (KBA) on Forcepoint Support (https://support.forcepoint.com/) addressing the vulnerability is published. Once we publish a KBA we will update the Program Root CNA--MITRE Corporation--with the requisite details for their distribution.

Forcepoint credits reporters in KBAs, if they:

Give consent for such publicity
Do not publicly disclose information about the vulnerability before the KBA is published
Do not publicly disclose information about exploitation of the vulnerability until a period of 90 days has passed since the publishing of the KBAReporters may provide a list of names of individuals and/or organizations to be credited.

Product Security - Report an Issue

Achieving trust through rapid response & transparency

Disclosure and Embargo Policy

In Scope PST handles the security of Forcepoint products and services and whether they themselves are vulnerable to threats.

Reporting All vulnerability submissions must include the following information:

Salesforce Ticket

Company/organization name

Product type(s) (i.e. AP-WEB, AP-EMAIL, DLP, etc.)

Product version(s) (i.e. 8.3.0, 8.4.0, 8.5.0, etc.)

Deployment type(s) (i.e. v10k appliance, v5k appliance, software, etc.)

Listing of applied/missing hotfixes

Interface listing per IP/host

Complete vulnerability report that indicates the mentioned vulnerabilities and includes information needed to reproduce what was observedA vulnerability reporter (reporter) can expect a confirmation of receipt within one business day. Once a report is received, PST will begin research to confirm the existence of the vulnerability, and if verified, the versions affected. During this process PST may reach out to the reporter for additional information, e.g. a proof of concept exploit, as needed. Throughout this process PST will share any relevant status updates with the reporter as they develop.

CVE Assignment Once a decision has been made to address a vulnerability, a CVE ID will be selected from our allocated block and shared with the reporter.

Forcepoint credits reporters in KBAs, if they:

Give consent for such publicity

Do not publicly disclose information about the vulnerability before the KBA is published

Do not publicly disclose information about exploitation of the vulnerability until a period of 90 days has passed since the publishing of the KBAReporters may provide a list of names of individuals and/or organizations to be credited.