The security of our products is one of our most important priorities. We build security into our products, and we encourage our customers and others in the technology industry to do the same. We strive to design, develop, and sell the world’s most secure technology products, and we are continuously innovating and enhancing security capabilities for our products. The purpose of this document is to provide more detail on our product security policy, including how we respond to vulnerabilities and engage with others in the industry.
The security of our products is an ongoing priority, not a one-time event. It begins with our Security Development Lifecycle, where security is engineered into our products from the outset. Once products are released, we continue to actively support them and address vulnerabilities. Beyond that, we are committed to working with the industry to share software innovations that will accelerate industry-level progress in security.
Versions of ACME that are currently being supported with security updates.
| Version | Release Type | Supported |
|---|---|---|
| 1.0.x | Official Rel | ✅ |
| < 0.x | Prototype | ❌ |
We work hard to find and mitigate security vulnerabilities in our products before we release them, but that is not always possible. Our products are highly complex and we cannot always anticipate all of the ways in which our products will be used or how sophisticated third parties will seek to undermine their integrity. Thus, we continue to test and evaluate our products after we release them to identify vulnerabilities. And, at times, third parties identify and disclose a vulnerability to us before we find it. When we learn of a vulnerability, from any source, our focus is to understand and mitigate that vulnerability as rapidly as we can. Sometimes we mitigate the vulnerability ourselves; other times we do so in conjunction with our customers, partners, and others in the industry. ACME’s product security response will be tailored to the circumstances, but will generally proceed in five phases: (1) Initial evaluation, including verifying the vulnerability and identifying its scope; (2) architectural assessment, including identification of mitigation options; (3) mitigation development and assurance; (4) mitigation deployment; and (5) public disclosure.
ACME – and nearly the entire technology industry – follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed. (See CERT® Guide to Coordinated Vulnerability Disclosure.) Coordinated Disclosure protects technology users because public disclosure of a vulnerability before mitigations are deployed could allow cybercriminals to exploit the vulnerability.
Under Coordinated Disclosure, the general practice is initially to disclose information about a vulnerability only to those whose assistance is needed to mitigate the vulnerability. Disclosing the vulnerability to others could increase the risk that information will leak, allowing bad actors to exploit the vulnerability. ACME generally will not disclose information about a vulnerability to a broader group until after mitigations are deployed. However, depending on the circumstances, ACME may disclose information about a vulnerability where there is active exploitation of a vulnerability, or where there is an increased risk of public awareness or exploitation of a vulnerability and disclosure by ACME could reasonably be expected to mitigate risk to ACME customers and end users.
Given the nature of our products, we commonly work with our customers and other third parties, including hardware, software, and services vendors, as well as end users, to develop and deploy mitigations. Effective mitigation requires all these parties to work together in coordinated cooperation. While we work to understand and mitigate a vulnerability, we will manage information about that vulnerability on a highly confidential basis; we will distribute information only to those who need to know in order to assist us in mitigating the issue, and only to the extent necessary to enable them to do so. We ask any third parties who know of the vulnerability to maintain strict confidentiality until mitigations are deployed.
While no cybersecurity vulnerability is ever routine, ACME and other technology companies have identified, mitigated, and then disclosed thousands of vulnerabilities. Updates and patches are a regular part of modern technology products, and leading operating system vendors routinely release them as well. Among the best security practices for every technology user are installing updates as soon as they become available and being continually vigilant to detect and prevent intrusions and exploitations.
We encourage our industry partners to continue to support and apply these practices and principles to stay ahead of the evolving threat landscape.
ACME's product development policy and practices prohibit any intentional steps to allow undocumented device access (e.g., “backdoors”), exposure of sensitive device information, or a bypass of security features or restrictions of its products. While we always comply with the laws of the countries in which we do business, we would vigorously oppose any law that sought to compel us to include undocumented device access into our products.
If you would like to report a security vulnerability to ACME, and for more information on ACME’s “bug bounty” program, please send an email to [email protected]
If you are a member of the press and have a question about product security, please send an email to [email protected].