Coordinated Disclosure

Yubico is committed to maintaining the security and privacy of our products, services, and customers. We value the contributions of the security research community and have implemented a Coordinated Vulnerability Disclosure process to handle vulnerability disclosures in a manner that protects the community while encouraging responsible reporting.

Reporting a Vulnerability

If you discover a vulnerability in our products or services:

1. Email Us:
   Send details to security@yubico.com. Include:
   1. A description of the issue and steps to reproduce it.
   2. Any supporting evidence (e.g., screenshots, proof of concept).
   3. Any potential impact and your recommendations for mitigating the risk.
   4. Your contact information (optional if you wish to remain anonymous).
2. Encrypt Sensitive Data
   Use our PGP key at https://www.yubico.com/.well-known/Yubico-Security-Team-Public.asc if needed.
3. Act Responsibly
   We request that you not share information about a potential vulnerability with others until we have had a chance to triage and if needed, provide mitigation to impacted customers.

Our Process

• Confirmation: We will confirm receipt of the report within 3 business days.
• Triage: We will work with you to validate and resolve the issue.
• Disclosure: We will notify you when the fix is complete and may coordinate public disclosure timelines, if applicable.
• Acknowledgement: If desired, we will acknowledge your contribution as part of the disclosure process.

Safe Harbor

Yubico will not pursue or support any legal action related to the research and disclosure of vulnerability when those activities follow Yubico’s coordinated vulnerability disclosure policy and process.