As a security vendor, there’s nothing we take more seriously than the integrity of the solutions we offer to better secure organizations around the world. As the security environments change and the threats facing enterprises evolve, investigating and responding to security issues becomes ever more important. While we realize there will always be new threats, new vulnerabilities and endless opportunities to improve, we wholeheartedly believe in embracing the public research community. The combined efforts from our internal testing and external security researchers to discover potential security issues, and then remediate any and all issues will be paramount in further improving the security of both our solutions and our customers.
To report a suspected vulnerability that affects any SailPoint product, service, website or infrastructure, please contact your assigned SailPoint representative. If you do not have a specific contact within SailPoint, email SailPoint at email@example.com. If you have any detailed or sensitive information, please sign & encrypt the email message content and/or attachments using the SailPoint PGP public key. You can find the current public key & expiration status on the following PGP global, public directories. If you do not wish for us to publicly disclose your involvement, please let us know in this initial email.SailPoint Public Key Published to these PGP Global Directories:
For any reported security issue, there is a 5-stage responsible disclosure process it must follow. Upon receipt of the report, the researcher will be contacted by email while SailPoint conducts initial triage and analysis of the issue.
This stage is generally completed within a week, but will vary depending on the product and service. Once triage is completed, if there is an issue requiring a fix, SailPoint will provide confirmation of the issue and will begin the solution development/remediation process.
During this stage, SailPoint will assign notation (vulnerability title, internal notation, or Common Vulnerability and Exposures (CVE) number) for externally reported or publicly known security vulnerabilities in SailPoint products for reference. There are multiple factors affecting our time for fix availability such as issue complexity, severity of issue, and third-party vendor dependency.
SailPoint releases solutions at differing timeframes, depending on the severity and complexity of the issue found, in addition to the product(s) or service(s) affected. Once a solution is available, SailPoint will provide information to our customers about availability, encouraging them to download and apply the solution to the systems/assets not automatically updated or directly managed by SailPoint. Any recommended mitigations, where available, will also be communicated to customers. In this stage, SailPoint will not disclose detailed information about the issue as it pertains to the researcher until the disclosure policy for the available solution is complete for all impacted products, implemented in the service(s), website(s) or infrastructure.
We ask that researchers also honor this grace period of non-disclosure time as a courtesy to our customers, so they have sufficient time to apply the patch and update their systems. For our products where customer telemetry is available, SailPoint will continue to monitor customer update status and work with our Customer Support team to continue to notify our customer base of the disclosure timeframes and urge them to update as the end of the disclosure period draws near.
At or before the close of the 90-day period, SailPoint will issue an advisory and disclosure in the form of release notes or security notices with additional information about the security issue and will provide credit to the researcher who discovered the issue, unless otherwise requested.
SailPoint will remain in contact with the researcher throughout all stages of the process. As a standard practice for protecting our customers, SailPoint does not confirm, discuss or disclose any security issue or vulnerability until a fix has been released on all affected products, or implemented in the service(s), website(s) or infrastructure. Likewise, SailPoint requests that researchers not disclose any information about the finding (publicly or privately) until the public disclosure has occurred. SailPoint believes this to be the most productive course of action to continue to protect all parties involved, including our customers and partners who use our products and services, and those who leverage our infrastructure and applications to run SailPoint.
During the communication and disclosure process, SailPoint will indicate when the next contact will occur and when necessary, estimated timeframes. Researchers may request status updates at any time by emailing firstname.lastname@example.org.
We thank you in advance for your participation, willingness and assistance to improve the security of our products and help us continue to protect our customers.
Due to the sensitive nature of security information, SailPoint provides a method for you to:
SailPoint public keys are uploaded to secure, global PGP directories which publish the current key(s), expiration date(s) and certificate revocation status. Alternatively, you may request our public key by sending an email to the address above.
Documents developed by the SailPoint Security team are signed with the SailPoint PGP key. We encourage you to check the signature to ensure that the document was indeed written by our staff and has not been changed.
Note for users of the security-announce mailing list: Some mail programs cause changes to messages, resulting in an indication that the PGP signature is not good. Critical information will also be posted to our web site as needed.
When sending sensitive security information by email, please encrypt it.