Phoenix Technologies CNA Vulnerability Disclosure Policy

Last modified: July 17, 2024

Purpose

The purpose of this policy is to balance the public’s need to be informed of security vulnerabilities with Phoenix Technologies’ need for time to respond effectively to the vulnerability. The final publication schedule will be based on the best interests of the community as a whole.

Roles and Responsibilities

Phoenix Technologies – The Phoenix Technologies Product Security Team is responsible for triaging and analyzing new or potential vulnerabilities affecting Phoenix Technologies’ product portfolio.
Reporters – These are upstream parties, researchers, and individuals who report a vulnerability to Phoenix Technologies. All reporter data is aggregated and triaged by the Phoenix Product Security Team. Phoenix works with reporters to ensure industry best practices for coordinated disclosure to keep vulnerability information embargoed with Phoenix Technologies and other vendors until a fix is available. Phoenix Technologies coordinates embargo timelines and disclosure dates with the reporter and affected parties and stakeholders. Reporters are recognized on our public CVE (Common Vulnerabilities and Exposures) pages for public disclosures done in coordination with us.
Industry Partners and Collaborators – Phoenix Technologies collaborates with our partner’s Incident Response teams and other PSIRTs (Product Security Incident Response Teams) inside the firmware industry to coordinate resolution and disclosure of security vulnerabilities.

Policy Statement

Phoenix Technologies follows a policy of coordinated disclosure in partnership with reporters (e.g., security researchers) who report discovered vulnerabilities to Phoenix and its partners.

When Phoenix receives a vulnerability report from a reporter, we start a dialog with them to help better understand the vulnerability so that we can understand the scope and begin to patch the reported vulnerability.

Disclosure is an important responsibility as a CNA (CVE Numbering Authority), and Phoenix works closely with reporters to decide how and when the vulnerability should be disclosed. If the vulnerability is a unique issue that Phoenix will own, as determined during code review, then Phoenix will reserve a CVE ID through the CVE organization.

Once Phoenix, the reporter, and relevant stakeholders (such as Phoenix’s partners who may be affected) all agree that the vulnerability can be published, Phoenix will prepare a statement to be posted on our security notifications page. If more time is needed to create and distribute patches to affected partners, Phoenix will coordinate with the reporter to extend the embargo until Phoenix’s partners have had a chance to apply relevant patches.

Reporters who report issues to Phoenix will be credited in our disclosure statement on our security notifications page, with attribution to the individual and/or the organization they represent.

Bug Bounties: Phoenix does not participate in any bug bounty programs.

About Phoenix

Partners