Report a security issue
Elemental takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our products or services.
Reporting Suspected Vulnerabilities
If you would like to report a vulnerability or have a security concern regarding Elemental products or services, please e-mail elemental-security@elemental.com. So that we may more effectively respond to your report, please provide:
- A brief description of the issue including issue type (Elevation of Privilege, Cross-Site Request Forgery, Cross-Site Scripting, etc.) and where found (Elemental Product or Server).
- Steps to reproduce the issue.
- Supporting documents including screenshots, tool output, and/or Proof of Concept code.
- Any suggested solutions to resolve the issue.
And any other relevant information that would be useful in helping us understand the nature and severity of the vulnerability. If you would like to protect your email, feel free to use PGP. Elementals PGP public Key is here.
The information you share with Elemental as part of this process is kept confidential within Elemental. It will not be shared with third parties without your permission. Elemental will review the submitted report and assign it tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
Evaluation by Elemental
Once the report has been submitted, Elemental will work to validate and assign a severity rating to the reported vulnerability. You may be contacted by an Elemental representative, if additional information is required in order to validate or reproduce the issue. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.
If the issue cannot be validated, or is not found to be a flaw in an Elemental product, this will be shared with you also.
Elemental uses version 3.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. This helps to quantify the severity of the issue and prioritize our response. The CVSS V3 calculator can be found here.
Public Notification
In order to protect our customers, Elemental requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.
If applicable, Elemental will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously. If a public notification is needed Elemental will give credit to the reporter for finding the issue.
These are instructions about they key.
Please copy the below code
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQINBFZvDukBEADBHA5CoRYYXLVEayQ9kgVwZsi84CVEl9xY1kWn6SiR+vWvdt8E ImDeNnqBkLphk2fu7BwuuKfLDTpVI8UAIjsL3eGCnnN901ho6M2K7WnrSu8pfutB jchhYLxbLjGGJvXSSgGT1TQ7kPRKsiiiBwKNxgQzjr2PWgCO8fPjUuNl+TMpWtd6 maQJluGkXH31OPu2Z+gohuGheeFLg4yEtJcICGVYo5mjHYVD5zcuvqQ13mk2ZZzw rY5jyLYSTSq5tWhIx7QSAuP81OGvaASlv4eljakAODhUhy33xTOzclSaEhFh5yOo NijRKzwDU82tE197gEjTfm8HHJvpJDl46zThugNgxTi1SGaMwcT3RO0UXWRznnbB GCQxuqztU7khFpL2sr3Rc7djJdnGZ9FZI90yCFfUfWE6WamXArkqvuIKSMCOjVrb zxvZkgy5sMTJfNEWgbJrf9pIE1QNu+FMnhUifFY3a8/+RcIztxJygNmU+LyTJuZS zhxyXxmxjJPAFb3sB7ddKroi3nL0b+b3lqrierdO9qBgz9J/46WnxuVlWQLge4hV adQV/JrH3vChFvmr6R1F/wWfzT8Jf9x10QnZdGGSLHETRM9TAOoT9uKjNQ3qREhg HhDImTlD4FCN/+60fCngcRJlC18Urs40fOLsRS3KbozJ3EcrLJilkcPoMwARAQAB tERFbGVtZW50YWwgVGVjaG5vbG9naWVzIFNlY3VyaXR5IDxzZWN1cml0eUBlbGVt ZW50YWx0ZWNobm9sb2dpZXMuY29tPokCOQQTAQgAIwUCVm8O6QIbAwcLCQgHAwIB BhUIAgkKCwQWAgMBAh4BAheAAAoJEA4BzODY9/0INFgP/j42VpzRHVLtePpDLU0c abtMXvkk9tfdi8f8SLdajD7x8FSszF3l2//JByuP2izekh0vWeCO1bKRR8K0+eHe lrHOdHhrC0uczMRCYSj6Sr5VcoKuvv80XbXpbTX9idWUmmleaEQr7V3U74CPvg7x FNBJSw1XxdCd7CEY1mlaMVyl1Ec70CqxIC9kOmu6SV55k+RGsa3JPTj97ALnkCYq 9j7O6quAPPtL41X9YEuBb86lg2XcHPA/X8a6C/hiMVxXXssDsKTlsmLPIH7krS75 hQPNB3PdAfuSeQUp2eSeLhp+VDKAGcPn1GWi9LVuCmqFrOKCrs1ZvCZlFElRc2dD u3KUjvtn2czDOCyelBszx0P044HNl3ZV/ApTXWQOJh1DSxCN+N5qOZo7dEFo4t0K 9+Y0d8TD4N1wNhfWRZvvvCWei890gwcuaxIu2HDDUU47wWAb4+RUaWFYNoJtJK9+ zsYzFcUv+aCV0jDY8uEiFpxCDQgp52VbMpCCL8KurEUD8vSHNqy1qM3hOrUHCK75 U8r4Ajbu73gXc5P+9muAMQJ0mBBH3PbcMCLST6CwrRjWrpORAbcFPuZb5uMv654u hUVTI54s4n3Ggc0UEoHTsCvbnAI08jWQR+NtL9rWC7gahITNKUgXOrFAmxtRoo/G EImf23A0UOG7NJFcQkMjbjWvuQINBFZvDukBEACx4NBbskhXkGmxta4iqLiSdxMT L69vheybQoC3wkO39BrOFoLYBA2hx1CXr4KgCsCCHlLgDwT4Ytp2qpHu8WYSZqHI 6fLmIvRVCDYutkCnBgux2bmOzvihkMIfG1RwgojHY8ByLTpEWD5st+Oiun5489UG 9U2/EsFaZsSNPmAf6W2LMDlJrKUl3Lmq+14l1aHg0woy3Ixv2mPkIzwOY5w+oELo xG5zLCQLs5jB1TigLn//Qn2j4yXyD7TW3+OxIesjaHYTNhnaU/2EeT5kWLDh6cDf 8ZSd12wXULgz3YcJErrZFAodniOa7RYNEjl3F++HG1zQvkjzB5JFv+17f87KmOgz sD46kmakSVeyukR5rkV6BkKLGn2KC0fYB/1sPJWUKGp6drDv0PwZ3oC75w/4WX1W +nKzvj4KFlYmQOt0PP19fz+JRIFkkjWFTMV7itqVdswhCR2ubUQxrdT5gqpcW26e AsRrzgiffvrXKkRSqMDLDs3Kx19o+boQyyCgbsj219tUzK0yKU7J3zu/el0WODws cRbPNc0ov4cLhjnkj5RMNuOtdVdPa+11OdflJPhaf729Qi+0tPBPmhCxyAc/ym8/ dwF8YzEyFOtcm8zEH2KSKYiBemhS/mxZ5Q6oHUHv+uC3kaIfikGnEZ7q4KYJmK6/ V7YkR/e/3Kzgc1zqOwARAQABiQIfBBgBCAAJBQJWbw7pAhsMAAoJEA4BzODY9/0I GQIQAJ+f4HvjEi+uDM16H8iLUVdB4hldg5EXRUQ+UCHcJW9wJAt2MevAuCPYTPUA lwxpdgcA3JQU93tylUSeIOrLR3Ec/Fw/T9rnYHIDLEpcZlVeRZ5N6Oy0TmU20m8o JbG3h9RU2pO+I6ze6J4djlcI89vXrT0k2LvhVswTo903xy7vIkAxElzBiEx+qgM/ QdSgZdudASdewCBCrXjjCFl5jaD63a0nzYVHqKSEUxpoLE49l8nAFJDc+rD5pf/4 ReWFgvYeZmTxBvKKMvj+L/hLfbXzglQm4k9PrXolisDq/uK91Yn7TOazy2ugpPlD anDJ4Hafds14F9S8fjWrAYcYQXu6EvNnNqTqWXdQz/fS2617KmuggZCLRUuuSHRA 3SKktQuGDDmxvlGYyd39xmpS5n2rv36NFHzCd/q+34U4weGBfxxEz7tzGbsiVcpI VwGa0mRCobuN+844iy/rNvViFobiCcMuObWdqiZASmk94PhhU9PR2fUl+w/mPmHk R67Ctg+7tc561VFR7Eae+ksptduV08kMLA6e5+lQ1gYRWr6MWsNfciPQjlYj+8Np Dq8eRt8fiO7MiyeRueYsKjvVV+7BNT6986EnX4rkRJlbvq7aEGYCSAQ9ZWIwRD0n Pz8CzwbaIqQnSgQar3ZXDDJA0ty2Cu/fmzIt8zt/qXMuz6tG =kZDQ -----END PGP PUBLIC KEY BLOCK-----