Reporting Security Vulnerability

Report a Security Vulnerability
One Identity is committed to addressing security vulnerabilities promptly and responsibly. If you believe you have identified a potential vulnerability in a One Identity product or service, we encourage you to report it using the process below to ensure it reaches the appropriate teams for review.

A security vulnerability is a flaw or weakness in the design, implementation, operation or management of a product or service that could be exploited to violate the system's security policy.  To protect businesses and organizations worldwide, it is critical that the broader community of IT and security professionals report potential vulnerabilities as soon as they are recognized. This allows industry experts to take appropriate action to resolve any vulnerability that is discovered.

Reporting a One Identity Security Vulnerability 
If you are aware of a potential security vulnerability with any One Identity product or service, we encourage you to contact us immediately. In connection with the completion and submission of the Vulnerability Submission Form, you may be asked to provide certain personally identifiable information. One Identity has a variety of security strategies intended to prevent unauthorized access to information we collect from third parties like you. We take very seriously our responsibility for complying with established policies, processes and controls relating to the protection of our customers’ data. 

To receive acknowledgement, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.

How to Report a Security Vulnerability 
To ensure your report is reviewed promptly by the appropriate teams, please follow the steps below:

1. Go to our Contact Support form
2. Under "Choose a Topic," select Report Vulnerability.
3. Complete the form with the following details:
    - A description of the issue
    - Product name and version
    - Steps to reproduce
    - Any supporting evidence (screenshots, logs, proof-of-concept code, etc.)

We ask that you refrain from publicly disclosing any reported vulnerability until our team has had the opportunity to investigate and respond. Responsible disclosure allows vendors to research and fix vulnerabilities before cybercriminals are notified of their existence. We appreciate your assistance in ensuring the security of One Identity products and services.

Terms and Conditions

• Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
• Please do not test for spam, social engineering or denial of service issues.
• Your testing must not violate any law, or disrupt or compromise any data that is not your own.
• Please contact us using the Vulnerability Submission Form to report incidents such as customer data leakage or breach of infrastructure.
• Information about the One Identity product or service, including a report of any vulnerability, is considered our confidential and proprietary information about our products and services. This confidential and proprietary information may not be disclosed to third parties.

How One Identity Responds to a Vulnerability Submission 
All reported vulnerabilities are investigated by One Identity. In most cases, a response for reported vulnerabilities should be expected within 24 to 48 business hours. Throughout the investigation process, One Identity makes every effort to work collaboratively with the incident reporter to investigate the vulnerability, gather required technical information, and to determine an appropriate action plan.

Upon investigation, if the reported issue is determined by One Identity to not be a vulnerability the Service Request will be closed and it is expected that the reporter will not report the issue publicly as a vulnerability without informing One Identity first.

Responsible Disclosure 
Notifying a vendor prior to releasing information publicly about a vulnerability is standard practice in the security industry and is known as “responsible disclosure.” This advance notice allows vendors to research and fix vulnerabilities before computer criminals are notified of their existence – keeping the Internet safer for business. We appreciate your assistance in ensuring that One Identity products and services are secure.

Acknowledgements
To review One Identity's Vulnerabilty Reporting Acknowledgements click here.