Reporting a Security Issue


Please report to us any issues you find. This page explains how to do that and what to expect in return.

All security bugs in Foregenix products or infrastructure should be reported by email to security@foregenix.com. This mail is delivered to a small security team. You will receive an acknowledgement email from a member of the team within 24 hours followed by a more detailed response to your email within 72 hours. This will include details of the next steps in handling your report.

Please use a descriptive subject line for your report email. If possible please also include the name of the product to which your report is related. Eg. [Serengeti], [FGXWeb], [Infrastructure].

After the initial reply to your report, the security team will endeavour to keep you informed of the progress being made towards a fix. These updates will be sent at least every three days. In reality, this is more likely to be every 24-48 hours.

If you have not received a reply to your email within 48 hours or you have not heard from the security team for the past five days please contact the security team directly:

Please note that emails sent to support@foregenix.com are visible to our entire support staff. When contacting this address please do not disclose the details of the issue. Simply state that you're trying to reach a member of the security team.


Disclosure Process


Foregenix uses the following disclosure process:

  1. Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process.
  2. The issue is confirmed and a list of affected software/infrastructure is determined.
  3. Code and systems are audited to find any potential similar problems.
  4. Fixes are prepared for all affected products and will begin immediate testing. Where applicable, a notification is sent to affected clients to allow time to prepare their systems for the update.
  5. Updates are released for any affected products. Clients are given an initial deadline of 30 days to apply the updates before a public announcement is made.
  6. Once all clients are updated, or the agreed waiting period has passed, the issue will be included in the public release notes.
  7. In the case of critical vulnerabilities, an additional post mortem blog post may be published, giving credit to the reporter if desired.

This process can take some time, especially when coordination is required with a large number of clients. Every effort will be made to handle the issue in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently and that clients are not put at any unnecessary risk.


PGP Key for security@foregenix.com


We accept PGP-encrypted email. Please only use PGP for critical security reports.

-----BEGIN PGP PUBLIC KEY BLOCK-----


mQGNBF/4NjIBDADQSKcss8PjXwCYNAliWy0Xrb/qPqGaK4KeRwTb04br83I0s5Mw fSz4xLV4W3XS/fp5U1VIeExwJjzWa5HXLvksoDIIU0pUa7dfm+NxhaCigRiz0HrA tVys47hrCDcENdRH8/Ov8uP6/H+XxVmuI4PBm3k69KYvJ2l2Gq2dsPhZOha9qHVB j2Jw+c6Umfyvft6eFGysWY+JkZWHzbvgIWb7h0eDduPdU5WqZBSqJxYc9cWPPcBW oGDr6zswkiQv52Rwf1akcFnjJdqjoJgZueC8OxMQr3/lpJXxgPmy2lO5aEMIWqUv U5+6ChliD+Q3nHQOdJQSxZzCBFFW1ak5vXxo7oBJ6JBWSfqMlPcxnlIVE+dCUwbe bIEGeOwg7yb9Bwe6DRvJhZTXE8N7BUV7fCyl81tRDPP2+uPYCLaLy5yX3I00lHm1 G8aatkKZJokKdmrbghzvMCrBG9jJl8uNiMtJHsBgVe61d1cJJbicVUtpHGtXhkAd J4Xd/hRgH5SRHmsAEQEAAbQwRm9yZWdlbml4IFNlY3VyaXR5IFRlYW0gPHNlY3Vy aXR5QGZvcmVnZW5peC5jb20+iQHUBBMBCgA+FiEE5N5B8vzqAqsLHBglWqQEkLE6 F8oFAl/4NjICGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQWqQE kLE6F8oz2wv/fcjV7SQpmlIQL6dMydtkV0Wz6o6XeCVqpXuSDSySUW3fEQInDH1D oJGp/M2v5B4ycbB36UMOnFUH3gpbJ+sZmAXOkxM3T3OuYmxG0WiDeFYe1paJO6LC uXlkIPQ4ersj3kB4vx2hKA9QoxpuwnSq+c0P0O3/IOv1z5myLwfe/Gb9+Mj2v11K ZqpVKCSr0R9hOS60UwPW6SLAP8NW6R/CKnEtdWx5ECBOHqp0tQVSKjZZtWa/m4ri 5FSvNXeRrEK03LHc12OqCQvAbIT166ppZ+arbm48qjGdVxgMrApfHUFzXrby4g/+ R6Je0O3DkhtM5HMgoaJ89Bi0bG2YitzSTFy956nns72NcJCggoeWB0VTxA6xbO9f 5oAYHYozSiquU+etoFoZDH4FGA6DtTu2k8ZXa1FuxJ+2mWK3W8yrYRwPmyfXsE1t ZLX5zxXFRx2Q3awqIw+Wtmmuz8A2vf0fn3JS8b1uVQIDMLx5MNAKYF4vuNJ0LrCL z940XkxA7AZAuQGNBF/4NjIBDACuuW2XvRYvvACuTW2K71dfv638uaw5fnpva1fh npi55jRi7mCCFQk5JCC2lGXKBAF09rRV1bvsLB6zXRHwz/v2N7gYXno41EgLV32P d0G9hzviSBxEKLRTZBXTsz2yTVzmU641544y+u67+uFaByjlTvLQaHLMRQlYRqMO Jbt1pYdUXGG3uER1dwfh9h7YG81YKsQY5DsIMupyAnMD/v31u+zMab+XLue9krg3 +NM/e2VnMPt4F91piOihyRcOyv30sSbcRLcX0EvHYYIvio850oOsN9WKeCY7FN/D RPRBvbmjio6XfdNAwEYGnF4I49nSA8w5KI017P7CqcLwBS91A4r3LxztPrsN/NlX JqJPRaQLaVh7hLY8VBFR8OEtIpyzI9YOn+b4S1aHVurSp4JP20F3/bwLBFj2RlCM 0r/Yohge0M32uiw8x4yPce8xyQHyNkwzfm/Jiw+ykGFWP3fz0iwhzREQfTPd0Tlw +f+33FYyMYpSZDumjtmQZClV6hUAEQEAAYkBvAQYAQoAJhYhBOTeQfL86gKrCxwY JVqkBJCxOhfKBQJf+DYyAhsMBQkDwmcAAAoJEFqkBJCxOhfKb6IL/i9A2sXYYv6E Wb3101V9fFcuJcsjYqlg1zQMQLxVJd9rJ5SJDYrSh/lOkhpBmCWlCujpofmWJM29 IOw9FMIX6/5wrpd021G1tcOIxysE2XJasKXs3sA65GloJ+6dEb5Di7TeibqZcxK3 I2y5mkGT3XerEGB5rSoMBJ5Aa7ugxuZ2OTPAxAEIQ/NZuu1EXCdfYdhC/Oxs+WVI +G27Zq9JNElA+lij7zC5Lz8W6s8by5aJDAsw1tdE1dE3gz1V+nHE4WCVZ8+dilKO qrgzV+m59BiUtQQ2rrvLn82AOtV0I9dIjj40xecxWYuhfo44q0r/QVxuH+p/xowe 3FVxOSKQuIK/wkRUW1hrooVZ3CKy6SpBQfONpCpzSEryc5gsqbjf0fxjZt7z6Lr0 +0+iZfDnfJNs8z0RkMBEqta/PSy/GsSt6uheiYZhgqbn2Y3K+MGJo8MKnpP5v4/k yh07DEB9cvEbvohghlYvK0gfKBpO6fafHfpdRcod1+5ygIro1nbElZkCDQRf+DdZ ARAA4GMLdUZtOaBgJUevGE6uWplf5TsEfGJGfC/Ex1jZ5reX1R/Lu1CaEQDjnceT 4r3s0s/yIECCl0azXI5M4/rsA58hcU3pQ3uYC9pDtdHyq13IeDzl877JlgQQlvCs KSMRfnr003gr14Vmv8I48U+yq2g+61X9TZIAMHJQY17Mg1h8scwvN+F/ZMsNGIeI KZXaoZoDgm6cXhKmPcAHFaaSFIGNHN2Wj+VvAR6QOT3tradOG1jU2ublwCBU4bbS yv+yGjAAX6s65GaZCulJMBihOcfA3JOrodZpkk/iyMOzVcLO9QC1ufOVbFMNDZpJ YknI4Q6dn5qnhBNM+8XMa/VYGuWplwRM4gZObypYoYWsOD50k1+F8b7Fly0zKDNe 9d/E0U/GKyftdNB14jRrsY7hnzYgqlXQ/py4EsmNm/n8t2yHq8bLYMdr/y5pIpyM AXOr+PE1qs+yjyPcTPQIvKvp0CGM/6OcX7FJxZ++UolnkEuC7ug+A63GbXYlPntY 7Chyqy+nHuTi2Zx6CNJtZWNfoM5Q4q0MJVKhFGYUmcQEP1n+VcSgzLESuBrRIbpp CPw37PO9Jn+SGNoB3K7Jh3NGFMNycdcpqzMbhtYFU9pp3t0NR4Aryiq0sGeM1iRb ZFl7HH8kFrA6wRLKE1P60KlN10t81hFqLjFMi5HLqn1A3QEAEQEAAbQwRm9yZWdl bml4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGZvcmVnZW5peC5jb20+iQJUBBMB CgA+FiEEHDTXU/u656+f/84CroxPfHHqNkkFAl/4N1kCGy8FCQHhM4AFCwkIBwMF FQoJCAsFFgIDAQACHgECF4AACgkQroxPfHHqNkkJsxAAiNYcIiJAVzkmwOySwqwu 0nSq7wdJfWIGOOt+VbBNJUnyx8Logy38j2ROp3qjJlx/ecoXi6T2jLjJ1xqOnwKz NkUGw6nZw/ds4kNcUlH91nn+XciSmYsVtkon+5x/AAbTwpbJYH5PchZIxl5le8Nx yya7LXSIbkcmZLanQXmEO8582G5N/s/vSbM0prHiFUVP0I2PsbbULb2wWi3dyQrL jnyKeyt7tTRaJWT7TUg7JkPj4SDHnbXkb/8903Mohkv6uRVpNbYIz2EN7qkY9nmv gcDYmhEYmS7awFmjOJhuxJZl6xJp59pTZaoud/vZkeWNStdy6G9eNyoOjuvkXw0p KOCamb4t/3m/367+FGAGaRiVLn62UgSb5fuy06Llyg3eu9ijWkap8soWgVNlbBvt d8GLtWHj07dNnPvqJmVh0UyfIzz3ut0Jum591D6xcGCbCLbFEDiYOgvMnpGEuCqB KuXy+Q/fKXLLiPKGrcQH6vCV2qua5fgJgqOOYhnDYfpHWgXKsK9bW9DlQr+ht5xw wldfZpzzHiS6noAdqXcfIcxZOKlfrfEZR8Ma1ABTjFSRV7lxP7iEkl1lE2wCJUcL GqXOZ06dTTaQlggrzqcrUYW9WALCXyBUmUu8KJdNiFjK5JMXrf2C6wiDlQCxKy3g

Nt607SIHrH2n+unW8EjZtBg=

=clI7


-----END PGP PUBLIC KEY BLOCK-----