Vulnerability Disclosure Guidelines

Report a security vulnerability

If you believe you have discovered a security vulnerability that affects ForgeRock software, services, or web servers, please report it to us. We welcome reports from everyone, including security researchers, developers, and customers.


How to report a security vulnerability

To report a security vulnerability, use the web form below. We will triage the submission and get back to you.


You may also report your discovery by emailing [email protected]. Please ensure that you include the following information:

  • The specific product and software version(s) which you believe are affected
  • A description of the behavior you observed as well as the behavior that you expected
  • A numbered list of steps required to reproduce the issue and a video demonstration, if the steps may be hard to follow
  • ForgeRock may facilitate a file exchange if required, for larger files

You'll receive an automatic reply from ForgeRock to acknowledge that we received your report, and we'll contact you if we need more information.


How ForgeRock handles these reports

For the protection of our customers, ForgeRock doesn't disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available.

ForgeRock uses security advisories, to publish information about security fixes in our products.