Vulnerability Disclosure Policy

Last update: September 2, 2024

Introduction

Check Point Software Technologies Ltd. (“Check Point”, “us” “our”) is committed to ensuring the security of its products. This Vulnerability Disclosure Policy (this “Policy”) provides security researchers with clear guidelines for conducting vulnerability discovery activities and conveys our guidelines and authorization for submitting discovered vulnerabilities to Check Point.

This Policy outlines the systems and types of research covered, the process for submitting vulnerability reports, and the required waiting period before publicly disclosing vulnerabilities. The goal is to foster a collaborative relationship with the security community to enhance the security of our products and protect our customers.

We encourage you to contact us to report potential vulnerabilities in our systems.

Guidelines

Researchers who discover vulnerabilities in our products are expected to follow responsible disclosure principles below:

• Notify us as soon as possible after you discover a real or potential security issue.
• Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. Please keep the vulnerability confidential until we officially announce a resolution. We prioritize customer security and may need additional time to address certain issues.
• Do not submit a high volume of low-quality reports.
• Once you’ve established that a vulnerability exists or encounter any sensitive data (including personal data, financial information, proprietary information or trade secrets of any party), stop your test, notify us immediately, and do not disclose this data to anyone else.

Test Methods

The following test methods are unauthorized:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.

Scope

1. Check Point Products
2. Check Point’s owned domains (e.g. www.checkpoint.com)

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing, unless specifically approved by Check Point in writing (in which case you shall be committed to this Policy). Additionally, vulnerabilities found in systems from our vendors fall outside of this Policy’s scope and should be reported directly to the vendor according to their disclosure Policy (if any). Should you have any doubt whether a system is in the scope of this Policy or not, contact us at security-alert@checkpoint.com before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If you identify a system outside our current scope that you believe should be tested, please reach out to us for discussion. We may expand the scope of this Policy over time

Report a vulnerability specific to a Check Point product: security-alert@checkpoint.com Report any other (non-product) vulnerability involving Check Point here (select “Non-Product”).

Reporting a Vulnerability

Information submitted under this Policy will be used solely for defensive purposes – to mitigate or remediate vulnerabilities. If your findings include discovered vulnerabilities that may impact not only Check Point’s customers, but also other users of a third party’s product or service, we may share your report with the Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

We accept vulnerability reports at this form or:

• Report a vulnerability specific to a Check Point product: security-alert@checkpoint.com
• Report any other (non-product) vulnerability involving Check Point here (select “Non-Product”).

Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

How can you send an effective report?

To help us triage and prioritize submissions, we recommend that your reports will:

• Describe the vulnerability that was discovered and the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
• Be provided in English.

What can you expect from us?

If you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• Within 3 business days, we will acknowledge that your report has been received.
• We will make efforts to be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
• We will maintain an open dialogue to discuss issues.
• In certain circumstances, we may deviate from this Policy, such as:
  • Imminent Risk: If the vulnerability poses an immediate risk to our customers, we may need to disclose it publicly without prior coordination.
  • Legal Requirements: We may be required to disclose vulnerabilities due to legal or regulatory obligations.

Revisions

We may revise this Policy from time to time. Any changes will be posted on our website.

Questions

Questions regarding this Policy may be sent to security-alert@checkpoint.com. We also welcome suggestions for improving this Policy.