Foxit takes security very seriously and aims to provide the industry’s most secure solutions and services to keep customer data and systems safe. At Foxit, we investigate all received vulnerability reports and implement the best course of action in order to protect our customers. Foxit believes that working with skilled security researchers can identify weaknesses in any technology.
If you are a security researcher and have discovered a security vulnerability in our products and services, we appreciate your help in disclosing it to us in a responsible manner.
If you identify a verified vulnerability in compliance with Foxit’s Responsible Disclosure Policy, the Foxit security team commits to:
- Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission)
- Work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together
- Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated.
- Post a description in a security bulletin when the fix is released, and acknowledge your contribution.
- Post a security advisory if required
Reporting a potential security vulnerability:
- Send an email to [email protected] to request gpg key
- Privately share details of the suspected vulnerability with Foxit by sending an email encrypted using gpp key to [email protected]
- Provide full details of the suspected vulnerability so the Foxit security team may validate and reproduce the issue
Foxit does not permit some types of security research:
To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues as quickly as possible.
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Foxit Software service.
While researching, the following conduct is expressly prohibited:
- Performing actions that may negatively affect Foxit and its users (e.g. Spam, Brute Force, Denial of Service…)
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on Foxit personnel, property, or data centers
- Social engineering any Foxit service desk, employee, or contractor
- Violating any laws or breaching any agreements in order to discover vulnerabilities
Foxit’s Chief Security Officer and General Counsel reviews our Vulnerability Disclosure policy from a legal and operational perspective on a yearly basis.
Foxit would like to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Foxit.