Application Security at BeyondTrust

Responsible Disclosure

Data and product security hold paramount importance for BeyondTrust. For security researchers interested in reporting vulnerabilities in BeyondTrust's products or services, the following information outlines our responsible disclosure process.

Reporting a Security Vulnerability

If you believe you have identified a security vulnerability within one of our products or services, we encourage you to promptly report it to our security team. To do so, please send an email detailing your findings to secure@beyondtrust.com.

It's essential to encrypt your report using our provided PGP Key to enhance security. When reporting, include comprehensive information to facilitate the replication of the issue. We prioritize strict confidentiality and will not share your personal information with third parties without your explicit consent.

Response Time

Upon receiving your report, a dedicated member of the BeyondTrust Application Security team will acknowledge receipt without undue delay. In most instances, our response will encompass an evaluation of the reported vulnerability and an estimated resolution timeframe. Occasionally, additional information may be required to validate the reported vulnerability.

Resolution Process

Throughout the resolution process, we will maintain open lines of communication with you, keeping you informed of our progress. Once a fix or solution has been developed and released, we will attribute your name as the discoverer of the issue, unless you indicate a preference for anonymity. It's important to note that BeyondTrust does not provide compensation or rewards for vulnerability discoveries.

This disclosure process exemplifies BeyondTrust's commitment to promptly and responsibly addressing security vulnerabilities. We value the contributions of security researchers in enhancing the security of our products and services, and your cooperation is instrumental in maintaining the integrity of our offerings. Thank you for your dedication to data and product security, and for choosing to collaborate with BeyondTrust in this endeavor.

Software Bill of Materials (SBOM)

SBOMs are comprehensive inventories of all the software components that make up a particular software product. They include open source and third-party components, as well as proprietary elements and external libraries and frameworks.

BeyondTrust is committed to demonstrating transparency in our practices and our role in fortifying the resilience of the software ecosystem. By generating Software Bill of Materials (SBOMs) for our products, we strive to continuously improve the security posture of the software supply chain. Our commitment to making SBOMs available aligns with our dedication to cybersecurity and to assist customers with achieving complex compliance requirements.

Secure Software Development

BeyondTrust follows a secure software development lifecycle (SDLC) that incorporates security and privacy by design elements while leveraging industry best practices such as code reviews by senior engineers, software security team engagement, and code analysis utilities. The company's Engineering procedures outline this approach, which is guided by Agile Development Methodology principles.

Developers and QA members work closely with product managers, development managers, and architects throughout the development process, ensuring that quality is a priority from the start, not just in the testing phase.

BeyondTrust's development methodology includes the following:

• Agile Methodology: Breaks down development into short cycles, allowing for rapid feedback and iteration.

• Secure Coding Practices: Helps to prevent security vulnerabilities from being introduced into the code.

• Input Validation: This involves checking user input to ensure that it is safe and secure.

• Secure Code Development Industry Alignment: Follows OWASP Top 10 Application Security Verification Standards, which is a comprehensive set of guidelines for developing secure web applications.

• Testing Procedures: Includes secure code reviews, peer reviews, Static and Dynamic Code Analysis Testing (SAST/DAST), regression and acceptance testing, performance and load stress testing, as well as penetration testing and vulnerability scanning to ensure that the software meets quality standards.

All product development and testing are performed in-house, giving BeyondTrust full control over the SDLC. No live data is used in non-production environments. This commitment to secure software development helps BeyondTrust deliver high-quality, secure products to our customers.