Security

Elemental takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our products or services.

Reporting Suspected Vulnerabilities

If you would like to report a vulnerability or have a security concern regarding Elemental products or services, please e-mail elemental-security@elemental.com. So that we may more effectively respond to your report, please provide:

  • A brief description of the issue including issue type (Elevation of Privilege, Cross-Site Request Forgery, Cross-Site Scripting, etc.) and where found (Elemental Product or Server).
  • Steps to reproduce the issue.
  • Supporting documents including screenshots, tool output, and/or Proof of Concept code.
  • Any suggested solutions to resolve the issue.

And any other relevant information that would be useful in helping us understand the nature and severity of the vulnerability. If you would like to protect your email, feel free to use PGP. Elementals PGP public Key is here.

The information you share with Elemental as part of this process is kept confidential within Elemental. It will not be shared with third parties without your permission. Elemental will review the submitted report and assign it tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.

Evaluation by Elemental

Once the report has been submitted, Elemental will work to validate and assign a severity rating to the reported vulnerability. You may be contacted by an Elemental representative, if additional information is required in order to validate or reproduce the issue. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.

If the issue cannot be validated, or is not found to be a flaw in an Elemental product, this will be shared with you also.

Elemental uses version 3.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. This helps to quantify the severity of the issue and prioritize our response. The CVSS V3 calculator can be found here.

Public Notification

In order to protect our customers, Elemental requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.

If applicable, Elemental will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously. If a public notification is needed Elemental will give credit to the reporter for finding the issue.