Entrust Responsible Disclosure

The Entrust Responsible Disclosure Program is committed to resolving security vulnerabilities in our products in a careful and timely manner. We take appropriate and necessary steps to minimize the risk to customers and aim to provide accurate information and resolution to address security threats in our products. 

Entrust follows responsible disclosure guidelines to ensure its customers can address potential vulnerabilities as quickly as possible to mitigate associated risks. 

We understand that you are taking your personal time and effort to report these issues. 

Our asks of you include: 

1. All testing must be legal. 
2. Respect the privacy of others. 
3. You will make reasonable efforts to contact us. 
4. Provide sufficient details of the vulnerabilities that enable us to verify and reproduce. 

Our promise to you include: 

1. Provide a method for researchers to securely report vulnerabilities. 
2. Promise to respond to reports in a reasonable manner. 
3. Strive for open communication with researchers. 
4. Publish security advisories.

We recommend that security researchers contact the Entrust Product Security Team by sending an email to [email protected]. 

Finders are encouraged to utilize Entrust Product Security PGP key to encrypt sensitive information sent to this address. 

PGP / GPG key Fingerprint: 

8015 7C02 BBDB 2BA9 BFC0 68E2 C6A7 3905 B449 2509 

When creating the report please provide as much of the following information as possible: 

• Product Name, version, and operating environment. 
• Type and impact of the issue. 
• The configuration/state required to reproduce the issue. A compressed archive file containing proof of concept code, scripts, or other data which facilitates the reproduction of the issue. 
• Name and additional contact details (optional). 

In order to protect our existing customers and yourselves we strongly recommend that you: 

• Do not take advantage of the vulnerability or problem you have discovered. For example: by downloading more data than necessary to demonstrate the vulnerability, or deleting/modifying other system data. 
• Do not reveal the problem to others until it has been resolved. 
• Do not leverage the vulnerabilities to initiate new attacks. 

We will handle all reports with strict confidentiality, and will not disclose your personal data to third parties without your permission. 

We strive to resolve all issues as quickly as possible. After it is resolved, we would like to remain in an active role for any publication of the issue.

Security vulnerabilities in Entrust Security products are actively managed through our vulnerability management process and covers four stages: 

1. Reporting: The process begins when the Entrust Product Security Team is made aware of a potential security vulnerability in an existing product. The reporter receives an acknowledgment and updates throughout the handling process. 
2. Triage: The Entrust Product Security Team investigates the issue and confirms the potential vulnerability, assesses the risk, and determines the impact and assigns a processing priority. The outcome is communicated to the Reporter. 
3. Resolution: The product engineering team works with the Product Security Team to develop a fix that mitigates the reported vulnerability. 
4. Disclosure: If the vulnerability is deemed to be of sufficient severity, a product advisory is created to provide all affected customers with information to accurately assess their risk, and informs of possible remediation and workaround advice as well as availability of any patches. Following disclosure, customer questions are handled by the Support Team in the usual manner. 

Entrust's disclosure policy ensures all customers receive the same information at the same time to avoid introducing further risk. 

Entrust also provides software and firmware updates as part of the Support Services offered during the Support Period of the product. 

Entrust will provide, during the Support Period, the following support to customers: 

(i) Use commercially reasonable efforts to investigate and find a resolution to failures reported by customers, and confirmed by Entrust, in accordance with the priority level assigned to the failure by Entrust in its reasonable discretion. 

(ii) Updating of the documentation as and when necessary. 

(iii) The provision of generally available maintenance software and software release notes. 

(iv) The provision, free of charge, during the Support Period, of generally available maintenance updates to the supported versions of the software as and when available. 

Note: Some software updates may require a hardware upgrade to function properly.