Vulnerability Disclosure Policy
As a provider of security solutions, services, and research, Armis takes security issues very seriously. It is our policy to work and coordinate with other vendors with regards to discovered vulnerabilities, with the intention of keeping users and customers safe. This document will share our process for disclosure.
Armis will reach out to the impacted vendor, vendors, or other, through the appropriate contact method to notify them of the existence of a discovered vulnerability with regards to their product or service offering. If a vendor did not publish a designated security contact on their website, Armis will attempt to contact relevant contacts and will email “security@” mailbox. When a secure method of communication is provided from the vendor(s) or other, Armis will share its findings. To ensure contact is made, Armis will make multiple, documented attempts to contact the vendor(s) or other, either directly or through third parties.
If no response is received from the impacted vendor(s) or other within two weeks, Armis may choose to release the findings publicly in order to notify and/or protect the greater public.
Armis will do its best to work with the appropriate vendor(s) or group over a 90-day time period to address the vulnerability with a patch. We will provide additional information, as well as assistance, to ensure the security issues identified is verified and resolved. At the end of the 90-day period, or before, in a case where the issue is resolved, Armis may publish its findings in order to notify and/or protect the greater public.
With any security issue, we recognize that it may take longer than 90 days to address the security issues. In these circumstances, we will work with the vendor(s) or group on a case-by-case basis.
Armis reserves the right to discuss and disclose any discovered vulnerability with other parties or security vendors if we deem it is in the greater interest of providing a better overall response. Any such disclosure will be made responsibly, and the other party or security vendor must ensure proper action and disclosure should they take any action.
Armis will publish any security findings on its website and other locations, as deemed appropriate and responsible.