1. PURPOSE
This policy has been created to provide guidelines for coordinated and responsible disclosure of previously unknown security vulnerabilities.
We take the security of our systems seriously, and we value the security community. The coordinated disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
2. SCOPE
This policy applies to the responsible disclosure of vulnerabilities identified in LogRhythm’s products and systems.
3. POLICY VULNERABILITIES
LogRhythm believes in maintaining a good relationship with security researchers, and we strive to acknowledge them (if desired). Additionally, LogRhythm strives to work with vendors, partners and competitors in resolving product vulnerabilities in a timely manner. Coordinating the responsible public disclosure of a vulnerability is key to protecting our customers.
During remediation, all disclosed information about vulnerabilities is intended to remain between LogRhythm and the reporting party—if the information is not already public knowledge—until a remedy is available and disclosure activities are coordinated.
Public disclosure of LogRhythm product vulnerabilities from LogRhythm employees shall only go through appropriate channels by coordinating with Management and Marketing.
3.1 LogRhythm Product Vulnerabilities
If a third party identifies a verified vulnerability in compliance with LogRhythm’s Responsible Disclosure Policy, LogRhythm commits to:
1. Provide prompt acknowledgement of receipt of their vulnerability report.
2. Work closely with them to understand the nature of the issue and work on timelines for fix/disclosure together.
3. Remediate the identified vulnerabilities and/or provide compensating controls according to their severity:
a. High and Critical: 30 days
b. Moderate: 90 days
c. Low and Informational: 180 days
4. Notify them when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated.
5. Publicly acknowledge their responsible disclosure (if they wish credit for such disclosure).
6. Not pursue or support any legal action related to their research;
7. Work with them to understand and resolve the issue quickly (including an initial confirmation of the vulnerability report within 72 hours of submission);
4. RESPONSIBLE DISCLOSURE GUIDELINES
LogRhythm supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers and third-parties comply with the following Responsible Disclosure Guidelines:
- To Report a Vulnerability, contact the Office of the CSO ([email protected])
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and LogRhythm until we’ve had an appropriate amount of days to remediate based on severity.
- Allow LogRhythm an opportunity to correct a vulnerability within the specified time frame before publicly disclosing the identified issue, in order to ensure that LogRhythm has developed and thoroughly tested a patch and made it available to licensed customers at the time of disclosure.
- Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
- Only use the identified communication channels to report vulnerability information to us; and
- Do not modify, view, or destroy data that does not belong to you.
Responsible disclosure guidelines suggest that customers have an obligation to patch their systems as quickly as possible, and it is customary to expect patching to be completed within 30 days after release of a security patch or update. LogRhythm advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.
5. POLICY COMPLIANCE
Any individual found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment or contract and potentially legal action.
