Vulnerability Disclosure Policy

 

 

Introduction

Proofpoint is committed to ensuring the security of its employees, customers, and partners.  If you believe you have found a vulnerability in Proofpoint systems, networks, products, and services (collectively, “Products”) we encourage you to report it and thank you in advance for helping to make improvements to our security.

Once you submit a report, please allow us time to review, correct the issue, and respond. With your permission, we will recognize your contribution on Proofpoint's Hall of Fame.

Scope & Eligibility

This Policy applies to Proofpoint Products. Third party products are excluded from the scope of this Policy. 

Vulnerability testing for products or services deployed in an individual customer’s environment may only be conducted with the express written consent of the customer entity operating those products.  Proofpoint does not consent to testing on the customer’s behalf.   

If you are unsure whether a system is in scope, please contact security@proofpoint.com before starting your research. 

To participate:

  • You must be at least 18 years of age.
  • You may not be an employee of Proofpoint.
  • You may not be a resident of or make submissions from a country against which the U.S. has export sanctions or other trade restrictions.

If you do not meet the eligibility requirements or fail to follow the terms of this Policy, Proofpoint may, in its sole discretion, remove you from participating in the Policy and disqualify you from receiving any benefits under this Policy. 
 

Reporting & Testing Guidelines

If you intend to test Proofpoint Products, refrain from the following activities:

  • Destroying data in Proofpoint Products
  • Engaging in any interruption or degradation of Proofpoint Products
  • Uploading a shell or creating a backdoor of any kind
  • Conducting social engineering, testing physical security, or performing other non-technical security testing

If you believe you have discovered a vulnerability in Proofpoint Products:

  • Cease further testing and promptly submit a report to security@proofpoint.com
  • Describe the issue in such a manner that we are able to reproduce your research
  • Encrypt communications with us via our PGP key (as needed):

                  Encryption Key

                  Fingerprint 806E 0096 7B5E 6E50 4C6B 083D 88B3 C1DA 8125 69D4

  • Permanently delete any Personally Identifiable Information (PII) that was obtained during testing

If you report a suspected vulnerability, Proofpoint will do our best to:

  • Acknowledge receipt within 1 business day
  • Assign resources to investigate the issue and fix legitimate vulnerabilities as quickly as possible
  • Keep you informed throughout the process and follow-up if any additional information is needed
  • Obtain CVE identifiers for legitimate vulnerabilities in Proofpoint Products and publicly disclose them with our Security Advisories.
  • Publicly acknowledge your responsible disclosure (unless you prefer anonymity)

Confidentiality

Any data you collect or obtain about Proofpoint’s employees, customers, and end-users in connection with your activities under this Policy is considered Proofpoint confidential information (“Confidential Information”). You may not use, disclose, or distribute any Confidential Information including information about your vulnerability report, without Proofpoint’s consent. Any unauthorized disclosure of Confidential Information will result in a ban from participating under this Policy, and you will be held liable for any direct or indirect damages Proofpoint may incur as a result of the Confidential Information’s disclosure.

In the interest of protecting the Proofpoint customers who utilize Proofpoint Products, we ask that you do not disclose the existence, nature, and/or details of the confirmed vulnerability until Proofpoint has publicly disclosed the vulnerability’s mitigation.
 

Legal

By participating, you agree that you have read and understood the requirements of this Policy and agree to comply with its terms.  Proofpoint reserves the right to modify the terms and conditions of this Policy at any time.

You agree that your participation under this Policy is voluntary. Any activities conducted by you consistent with the terms of this Policy will be considered authorized and will not result in legal action against you by Proofpoint.  If legal action is brought against you by a third party for activities performed in accordance with this Policy, Proofpoint will make this authorization known to that party. Proofpoint reserves all legal rights in the event of non-compliance with this Policy.
 

Employment

No employment relationship is created by your submission of a vulnerability report under this Policy.

Compensation

Monetary compensation is generally not offered under this Policy. Proofpoint reserves the right to offer compensation in its sole discretion.