Security advisory policy
Through collaboration with the ForgeRock community and our customers, we strive to address security vulnerabilities transparently and rapidly.
Our ForgeRock security advisory policy describes how our community can engage ForgeRock on a security issue, as well as the process ForgeRock follows and the actions you can expect from us. ForgeRock customers should always raise a ticket with ForgeRock support for any security questions on our software. ForgeRock customers with questions that concern a code scanning report should refer to our Code Scanning Policy.
How to submit a security issue to ForgeRock
If you discover a security issue that affects a ForgeRock product, please email the details to [email protected] with the following information:
- How critical is the security issue?
- How did you become aware of the security issue?
- Did you discover the security issue yourself, or were you made aware of the issue through other means?
- A summary of the issue should contain the product that is affected, how the product is affected, and any known workarounds.
Upon receipt of the email, we will initiate our security process and will keep you informed about the progress of the issue.
Receipt of the security exploit
When ForgeRock receives notification of a new exploit or security issue within a ForgeRock product, the process of evaluation and resolution of a potential security issue is described below.
ForgeRock uses the following three key areas when assessing any potential security issue; Criticality, Customer Impact and Publicity. They are assessed in this order of precedence
- Criticality: Where does the exploit sit on the severity line? We use CVSS 3 scoring to determine the criticality.
- Customer Impact: What is the potential impact to the customer
- Publicity: Has the security issue been made public, is there an exploit that has also been made public?
If you have received an exploit, please read through the following table; the threat level is determined by following severity level criteria:
|Clear security risk without requiring existing access or accounts.
|A risk exists that customer data could be exposed or system integrity compromised.
|Details of an exploit is in the public domain.
|Apply mitigations or patches as soon as possible.
|Threat exists, but prior knowledge of deployment/machine access/specific functionality/accounts would be required to exploit
|There is no risk to customer data. No significant risk to system integrity.
|Limited details of the issue, but the exploit is not in the public domain.
|Assess the threat and apply mitigations or patches as appropriate.
|Only a risk in certain limited circumstances such as specific deployment or configuration.
|A successful exploit has limited impact on the environment, no risk to customer data or system integrity..
|Known to specific individuals and/or organisations, not in the public domain.
|Determine if your deployment is at risk and apply mitigations or patches as appropriate.
|Access to physical machine might be required to enable the exploit through configuration/ customisation changes.
|Very limited risk to the environment.
|Not in the public domain.
|Apply the mitigations or patches in your next software update cycle.
The responsible product manager is ultimately responsible for deciding the appropriate severity level for the reported issue based on the aforementioned criteria.
- Critical: All known details are sent to ForgeRock’s internal security team, and the affected product manager is informed. The product security team is informed and starts to address the issue.
- High: All known details are sent to ForgeRock’s internal security team. The affected product manager and product security team is informed and starts to address the issue.
- Medium/Low: Forward all details to the security alias to be covered in the next product management review meeting.
Product security team
ForgeRock’s product security team comprises product management, services, and engineering. It meets to plan the next steps for the evaluation and resolution of a security issue. The threat level will determine if an immediate fix and advisory is required, or if instead a bug needs to be filed. The delivery of the security advisory is owned by product management.
Publication process and timeline
Once the security advisory has been approved for publication, a notification will be posted on the customer portal. Anyone who has registered with the customer portal will be able to access the contents of the security advisory.
Customers will gain access to all security patches, patch releases or maintenance releases for the issues described in the advisory at the time of publication.