Fidelis Cybersecurity, Inc. (“Fidelis”) is deeply committed to the security of the products and services we deliver to our customers and welcomes feedback from customers, security researchers, and the general public to help us improve security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues relating to Fidelis products and services, we want to hear from you. We only ask that you abide by our Responsible Disclosure policy and processes and provide Fidelis with the opportunity to investigate, resolve, and mitigate any confirmed security issues prior to public disclosure. This policy outlines the steps for performing compliant testing, reporting vulnerabilities to us, what we expect, and what you can expect from us.
2.0 Systems in Scope
This policy applies to the Fidelis products and services we deliver to our customers and the information contained within the networks, systems, and applications used to deliver those products and services. Specifically, Fidelis Extended Detection and Response (XDR), Fidelis Network Detection and Response (NDR), Fidelis Endpoint Detection and Response (EDR), Fidelis Deception products, and Fidelis Insight threat intelligence and malware analysis services. As these are operational systems supporting our customers, vulnerability research associated with these products and services must be authorized by the owner, operator, licensee and/or subscription holder of the system or service being tested and must follow the ground rules and expectations outlined in this policy. For on-premise deployments of Fidelis products and services, testing must be authorized and approved by the licensee and/or subscription holder for the products being tested. For cloud-based (Software-as-a-Service) deployments and supporting services, vulnerability research must be authorized and approved by Fidelis. All other networks, systems, information, applications, products, or services owned, operated, or leased by Fidelis are considered out of scope with respect to this policy.
3.0 Our Commitments
When working with us, according to this policy, you can expect us to:
- Respond to your report promptly, and work with you to understand and validate your report;
- Strive to keep you informed about the progress of a vulnerability as it is processed;
- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints;
- Recognize your contribution should your efforts result in discovery of unique vulnerabilities within Fidelis products and services; and
- Extend Safe Harbor for your vulnerability research that is related to this policy.
4.0 Our Expectations
In participating in our vulnerability disclosure program in good faith and to minimize risk to our customers, employees, and company, we ask that you:
- Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
- Only perform security research on in-scope systems with the express permission of the owner, operator, licensee and/or subscription holder of the system being tested. Employees of a company may not use their company access, license, test accounts, and/or subscription to Fidelis products and services to perform independent security research.
- Avoid using social engineering attacks, physical security attacks, and/or denial of service attacks in association with your research;
- Avoid violating the privacy of others, disrupting our systems or the systems supporting our customers, exposing or destroying data, and/or harming user experience;
- Use the communications mechanisms outlined below to promptly report vulnerability information to us. Information related to vulnerabilities shall be treated as confidential information, and not disclosed to third parties or publicly disclosed without express written consent from Fidelis. Fidelis will consider a submission noncompliant if the submission is publicly disclosed without our written consent;
- Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue and ensure our customers are protected before any information about the vulnerability is made public;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data, cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, and/or sensitive or proprietary information;
- Do not engage in extortion; and
- Fidelis customers are encouraged to use the Fidelis Help Center for submitting information to us about vulnerabilities you have discovered.
5.0 Safe Harbor
When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
- Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
- Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our End User Licensing Agreement and Software-as-a-Service Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws and not to disrupt or compromise any data beyond what is permitted by this policy.
Please contact us at firstname.lastname@example.org before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action will be a significant factor in that decision.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy. If your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third-party action based on your actions.
6.0 Reporting Security Findings to Us
Fidelis customers are encouraged to use the Fidelis Help Center for submitting information to us about vulnerabilities, privacy issues, exposed data, or other security issues you have discovered.
Security researchers and the general public (or anyone else without a Fidelis Help Center account) are encouraged to contact us at email@example.com to report any vulnerabilities, privacy issues, exposed data, or other security issues you have discovered. Once contacted, we will work with you to establish a secure communications channel and provide you with instructions on how to submit the information we will need to properly assess your security findings.