Saviynt’s Intelligent Identity: Responsible Disclosure Policy

At Saviynt we work diligently to identify and correct any security issues found in our products. Customers and the research community who believe they have identified a security issue or vulnerability in one of our products are encouraged to contact [email protected].

Introduction:

Saviynt seeks to mitigate the risk associated with security vulnerabilities that may be discovered in our products. We aim to accomplish this objective by analyzing reported and discovered vulnerabilities and providing our customers with timely information, analysis, and guidance on appropriate mitigation by ensuring that our Responsible Disclosure Policy allows our customers and our affiliated research community an opportunity to notify us of security threats that may impact the safety of our customers.

Saviynt will engage with our customers and the research community when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate and fix vulnerabilities in accordance with our commitment to security and privacy. After investigating and validating a reported vulnerability, Saviynt will strive to create an appropriate remedy, if we believe a remedy is required. A remedy may take the form of:

  • a new product release, patch, or update,
  • corrective procedures to work around or resolve the security issue, or
  • additional guidance customers may use to provide protection against the reported issue(s) in the affected product(s).

This program is limited to Saviynt customers and affiliates.

Our Ask of You:

We encourage customer and research community observations made through normal usage of our applications. If you obtain data or personal identifiable information without authorization you are required to delete all instances of that data, logically and in some cases physically. You are kindly requested to inform us of this. We ask that you also:

  • Do not share any information relating to a vulnerability with a third party without express written consent from Saviynt.
  • Do not exploit a security vulnerability for any reason. We will assess the full possible impact.
  • Maintain the confidentiality of any details of the vulnerability
  • Only test against your own accounts. 
  • Do not access or attempt to access accounts or data that does not belong to you.

While we encourage you to discover and report to us any vulnerabilities you find, we expect that you will abide the law and your contractual agreements in doing so.

Reporting:

If you have discovered a vulnerability, please collect and send as many of the following points as possible to [email protected]:

  • Screenshots of the UI, console, or tool dashboards throughout the collection and analysis process ·  
  • A brief description of the type of vulnerability, for example; “XSS vulnerability”.
  • Steps to reproduce.

What to expect:

After you have submitted your report, we will respond to your report as soon as possible. Vulnerability reports might take some time to triage or address and Saviynt will not disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available.

Saviynt will as appropriate, publish information about security fixes in our products in the release notes.

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >