Campbell, CA  |

Phoenix Technologies Logo

Phoenix Technologies CNA Vulnerability Disclosure Policy

Last modified: July 9, 2024


The purpose of this policy is to balance the public’s need to be informed of security vulnerabilities with Phoenix Technologies’ need for time to respond effectively to the vulnerability. The final publication schedule will be based on the best interests of the community as a whole.

Roles and Responsibilities

  • Phoenix Technologies – The Phoenix Technologies Product Security Team is responsible for triaging and analyzing new or potential vulnerabilities affecting Phoenix Technologies’ product portfolio.
  • Reporters – These are upstream parties, researchers, and individuals who report a vulnerability to Phoenix Technologies. All reporter data is aggregated and triaged by Product Security. Reporters may also wish to keep vulnerability information embargoed with Phoenix Technologies and other vendors until a fix is available. In these circumstances, Phoenix Technologies coordinates the embargo and disclosure dates with the reporter. Reporters are recognized on our public CVE (Common Vulnerabilities and Exposures) pages for valid flaws in coordination with us.
  • Industry Partners and Collaborators – Phoenix Technologies’ collaboration with other industry Incident Response teams through organizations such as FIRST or CERT-CC when there are mutually beneficial security objectives for the community or ecosystem. 

Policy Statement

Phoenix Technologies follows a policy of coordinated disclosure in partnership with reporters (e.g., security researchers) who report discovered vulnerabilities to Phoenix and its partners.

When Phoenix receives a vulnerability report from a reporter, we start a dialog with them to help better understand the vulnerability so that we can understand the scope and begin to patch the reported vulnerability.

Disclosure is an important responsibility as a CNA (CVE Numbering Authority), and Phoenix works closely with reporters to decide how and when the vulnerability should be disclosed. If the vulnerability is a unique issue that Phoenix will own, as determined during code review, then Phoenix will reserve a CVE ID through the CVE organization.

Once Phoenix, the reporter, and relevant stakeholders (such as Phoenix’s partners who may be affected) all agree that the vulnerability can be published, Phoenix will prepare a statement to be posted on our security notifications page. If more time is needed to create and distribute patches to affected partners, Phoenix will coordinate with the reporter to extend the embargo until Phoenix’s partners have had a chance to apply relevant patches.

Reporters who report issues to Phoenix will be credited in our disclosure statement on our security notifications page, with attribution to the individual and/or the organization they represent.

Bug Bounties: Phoenix does not participate in any bug bounty programs.