As a security vendor, there’s nothing we take more seriously than the integrity of the solutions we offer to better secure organizations around the world. As the security environments change and the threats facing enterprises evolve, investigating and responding to security issues becomes ever more important. While we realize there will always be new threats, new vulnerabilities and endless opportunities to improve, we wholeheartedly believe in embracing the external security research community. The combined efforts from our internal testing and external security researchers to discover potential security issues, and then remediate any and all issues will be paramount in further improving the security of both our solutions and our customers. We leverage BugCrowd to proactively engage with their community of vetted external security researchers and receive their vulnerability findings to triage in alignment with our Responsible Disclosure Policy.
If you are a current customer, please report the vulnerability through a customer support request instead of BugCrowd.
SailPoint Responsible Disclosure Policy
For any reported security issue, there is a 5-stage responsible disclosure process it must follow.
This stage is generally completed within a week, but will vary depending on the product and service. Once triage is completed, if there is an issue requiring a fix, SailPoint will provide confirmation of the issue and will begin the solution development/remediation process.
During this stage, SailPoint will assign notation (vulnerability title, internal notation, or Common Vulnerability and Exposures (CVE) number) for externally reported or publicly known security vulnerabilities in SailPoint products for reference. There are multiple factors affecting our time for fix availability such as issue complexity, severity of issue, and third-party vendor dependency.
SailPoint releases solutions at differing timeframes, depending on the severity and complexity of the issue found, in addition to the product(s) or service(s) affected. Once a solution is available, SailPoint will provide information to our customers about availability, encouraging them to download and apply the solution to the systems/assets not automatically updated or directly managed by SailPoint. Any recommended mitigations, where available, will also be communicated to customers. In this stage, SailPoint will not disclose detailed information about the issue as it pertains to the researcher until the disclosure policy for the available solution is complete for all impacted products, implemented in the service(s), website(s) or infrastructure.
Customer Deployment Period
We ask that researchers also honor this grace period of non-disclosure time as a courtesy to our customers, so they have sufficient time to apply the patch and update their systems. For our products where customer telemetry is available, SailPoint will continue to monitor customer update status and work with our Customer Support team to continue to notify our customer base of the disclosure timeframes and urge them to update as the end of the disclosure period draws near.
Public Disclosure and Notification
At or before the close of the 90-day period, SailPoint will issue an advisory and disclosure in the form of release notes or security notices with additional information about the security issue and will provide credit to the researcher who discovered the issue, unless otherwise requested.
SailPoint will remain in contact with the researcher throughout all stages of the process. As a standard practice for protecting our customers, SailPoint does not confirm, discuss or disclose any security issue or vulnerability until a fix has been released on all affected products, or implemented in the service(s), website(s) or infrastructure. Likewise, SailPoint requests that researchers not disclose any information about the finding (publicly or privately) until the public disclosure has occurred. SailPoint believes this to be the most productive course of action to continue to protect all parties involved, including our customers and partners who use our products and services, and those who leverage our infrastructure and applications to run SailPoint.
During the communication and disclosure process, SailPoint will indicate when the next contact will occur and when necessary, estimated timeframes.