PSIRT and Responsible Disclosure

The Fortinet Product Security Incident Response Team (PSIRT) helps to coordinate security for over 40 products - hardware, software, virtual machine and cloud, and for more firewalls shipped per quarter than all four of our nearest competitors. We work hard daily to improve our processes, train employees, directly improve product security, and work closely with third-party threat researchers as well as ensure a timely response for all reported issues. 

With regards to the FortiWeb vulnerability identified by Rapid7, Fortinet has published an Out of Cycle Advisory, FG-IR-21-116, to advise of the resolution and provide a workaround.

Workaround: Disable access to the management interface from untrusted networks, and use the Trusted Hosts feature to restrict access to trusted IP addresses for the admin users.

We are currently working to push out the fixes as quickly as possible and the advisory will be updated once this happens. A less than ideal situation which could have been avoided with better communication.

As well as resolving the issue, Fortinet is also looking at this particular instance as a learning opportunity and at lessons to take forward, including improving communications between third-party researchers. We would urge all submitters to disclose their responsible disclosure policy up front. Fortinet will add this request to our PSIRT process to ensure there are no surprises. Additionally, we will make our own responsible disclosure process more explicit in our PSIRT Policy.

At Fortinet, we are on a constant journey with our customers to best protect and secure their organizations. We welcome feedback from our customers on how we can better work together in this ongoing process. Please contact PSIRT via our Web Submission form if you have any suggestions or feedback.

Timely Resolution

Fortinet applauds the collaboration with customers, partners and third-party researchers to resolve issues. In particular, third-party researchers play an important role in protecting the cybersecurity ecosystem in alignment with responsible disclosure policies. These policies ensure that customers are protected while allowing time for exploration and a complete resolution.

Fortinet’s aims to deliver a 90 day mean time to resolution, and except for exceptional circumstances, we strive to meet this goal. Our 90-day disclosure policy is not out of line with many organizations - below is an example list of common Responsible Disclosure timelines:

CERT/CC                                45 days

Google Project Zero               90 day

Fortinet FortiGuard                 90 days

ZDI                                          120 days

In recent months, Fortinet PSIRT has made several changes to its policies to help customers coordinate the upgrade process and as such we have moved to a ‘patch Tuesday’ Advisory model. Fortinet aims to increase the upgrade rate of our customers by offering our customers one point in time in the month to focus on for potential upgrades in order to avoid patch fatigue.

Rather than narrowly fix the very specific reported issue, Fortinet also performs variant analysis to identify other possible attack vectors, so the fix may be broader than the reported issue and require additional resources. As part of our support and PSIRT policy, and depending on the issue, we may go back and support several firmware versions, each of which we aim to resolve prior to advisory publication. Additionally, Fortinet makes every effort to give customers advanced notification to help them address the issue early. 

Regardless of the scenarios above that may take additional time from a 90-day window, in order to protect our customers, we work diligently to meet our aggressive target, if not sooner.

Despite what has been reported, Fortinet is not rebuking or disputing any researchers. Fortinet fully appreciates the cooperation with third-party researchers. However, we do ask to work together responsibly in this process and disclose up front what the reporting organization disclosure policy is and provide adequate notification of publication to protect the cybersecurity ecosystem and provide the potential required mitigations for our customers.