Ivanti Vulnerability Disclosure Policy

Introduction

At Ivanti, we are dedicated to ensuring the security and integrity of our enterprise software products. We recognise the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. This Vulnerability Disclosure Policy outlines our commitment to working collaboratively with security researchers to improve the security of our software. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

Scope

This policy applies to any digital assets owned, operated, or maintained by Ivanti.

Ways to report security findings:

Vulnerability Disclosure Programme (VDP)

If you encounter any security-related issues involving Ivanti Products or Solutions, including those related to products from companies acquired by Ivanti (such as Pulse Secure and MobileIron Products), or if you have security findings related to Ivanti infrastructure or non-product matters, we encourage you to report them using one of the channels described in later section of this page. Your watchful eyes and contributions are instrumental in safeguarding the security of our products and maintaining the integrity of our infrastructure. We appreciate your commitment to enhancing Ivanti's security efforts. Thank you for partnering with us in this important endeavour.

Out-of-Scope Vulnerabilities

The following types of attacks are not considered part of our Vulnerability Disclosure Programme:

  • Denial of Service attacks, including resource exhaustion attacks, exploits causing denial of service, or any form of "resiliency testing" against Ivanti Corporate or Ivanti Hosted Solutions that could lead to service disruption.
  • Physical testing of Ivanti Offices, Data Centres, Colocation facilities, etc.
  • Social Engineering of our employees, customers, partners, etc.
  • Any attack or event against an Ivanti product or solution hosted by a customer in their own network without prior approval for testing.

In addition to the above, the following vulnerabilities and weaknesses are out of scope:

  • any type of rate limiting DoS or DDoS vulnerabilities.
  • any vulnerability that is only demonstrated as a lack of security best practice without actual security impact such as but not limited to:
  • weakly configured SSL/TLS service.
  • missing or weakly configured security headers such as, but not limited, to:
    • Content Security Policy.
    • Strict-Transport-Security.
    • X-Frame-Options.
    • X-Content-Type-Options.
    • X-XSS-Protection.
    • Referrer-Policy.
  • missing HTTP cookie flags such as HttpOnly, Secure and SameSite;
  • supporting HTTP methods such as TRACE.
  • host header injection.
  • weak password policy.
  • missing or weakly configured email authentication methods and protocols such as SPF, DKIM and DMARC.
  • missing certificate pinning.
  • missing autocomplete directive on HTML forms.
  • missing code obfuscation
  • information disclosure such as, but not limited, to:
    • software name and version disclosure.
    • descriptive error messages.
    • stack traces.
    • known public files or directories.
  • user enumeration.
  • CSRF on unauthenticated actions or actions with minimal impact such as login and logout functionalities etc.
  • vulnerabilities that require hard prerequisites such as, but not limited, to:
    • Man-in-the-Middle access.
    • physical access.
    • rooted devices.
    • outdated operating systems.
  • vulnerabilities that require unlikely user interaction such as, but not limited, to:
    • Self-XSS.
    • Clickjacking (unless it is present on pages with sensitive actions and a security impact is demonstrated);
    • tabnabbing;
    • disabling security controls.
    • content spoofing and text injections.
  • CSV and Excel injections without demonstrating security impact.
  • open redirect unless additional security impact can be demonstrated, such as loss of sensitive data.
  • unrestricted file uploads with only resource consumption impact.
  • vulnerabilities on third-party software such as frameworks, plugins, or libraries unless security impact can be demonstrated.
  • vulnerabilities that have had an official patch for more than 1 months will be awarded on a case-by-case basis.
  • vulnerabilities only affecting users of outdated and unpatched client software, such as browsers (more than two stable versions behind the latest released stable version), spreadsheet viewers, deprecated technologies (such as Flash) etc.

HackerOne BBP

In addition to our Vulnerability Disclosure Programme, Ivanti operates a specialised bug bounty programme for selected Ivanti Products. This exclusive programme is invitation-only, granting security researchers access to dedicated environments hosting Ivanti Products.

Ivanti reserves exclusive right to assess and qualify submissions for bounty rewards.

Please see our HackerOne Program for more details.

Our Commitment to You

In response to your report, Ivanti, in collaboration with the HackerOne Triaging team, will: 

  • Respond to your report promptly, and work with you to understand and validate your report.
  • Our security team will acknowledge receipt of your report within two business days and will work to validate the vulnerability within ten business days after receiving it.
  • Once the vulnerability is confirmed, Ivanti will prioritise its resolution based on severity. We will provide regular updates to the reporter on the status of the remediation process.
  • We are committed to addressing and mitigating the reported vulnerability in good faith. We may seek input or assistance from the reporter as necessary.
  • Ivanti will not take legal action against security researchers who report vulnerabilities in accordance with this policy. We value the collaboration and dedication of the security community.

Reporting Channels

If you have discovered a security vulnerability in any Ivanti enterprise software product or service, we encourage you to report it to us in a responsible and coordinated manner. Please follow these steps:

  1. Report the vulnerability via email to our dedicated security team at [[email protected]]. If you wish to encrypt our communication, please use our PGP key here (Fingerprint: 5A86 C77C A361 B145 8A2C D672 DBF5 C7A9 FE96 C03D). Your report should include the following information:
    1. A detailed description of the vulnerability.
    2. Proof of Concept [POC], (if applicable).
    3. Steps to reproduce the vulnerability.
    4. Information about the affected product or service and its version.
    5. Your contact information, including your name, email address, and any additional contact details.

      The more details you provide, the easier it will be for us to triage and fix the issue.
       
  2. Alternative: We also have an easy to use Vulnerability Report Submission Form.
  3. For general security inquiries: [[email protected]]

In participating in our vulnerability disclosure programme in good faith, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
  • Report any vulnerability you’ve discovered promptly.
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
  • Use only the Official Channels to discuss vulnerability information with us.
  • Provide us with a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly.
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • You should only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

Legal Safe Harbour

Researchers who make a good faith effort to comply with this posted disclosure policy will be considered authorised Ivanti testers. Ivanti will make an equally good faith effort to work with researchers who report issues under this programme. If legal action is initiated by a third-party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Ivanti reserves the right to seek legal action against individuals who do not adhere to this policy and violate ToS (Terms of Service), EULAs (End User Licence Agreements), or local laws and regulations. Ivanti recognises only the responsible disclosure policies, timelines, programmes, or frameworks covered by this policy. Individuals who report potential issues under multiple programmes without first receiving clearance from Ivanti will not be considered as operating under this policy.


Version 1.0 (Nov 2023). The Vulnerability Disclosure Policy is also available for download.