Home > Legal > Responsible Disclosure Policy 

Responsible Disclosure Policy

Responsible Disclosure:

Imperva cares deeply about maintaining the trust and confidence that our customers place in us. The security of our products and services is of paramount importance. If you are a security researcher and have discovered a security vulnerability in one of our products or services, we encourage you to disclose it to us in a responsible manner. Imperva will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy (this “Policy”). We will validate and fix vulnerabilities in accordance with our commitment to security and protecting our customers’ data. We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy; however, Imperva does not waive and hereby reserves all legal rights in the event of any non-compliance.

Reporting:

We encourage security researchers to share the details of any suspected vulnerabilities with the Imperva Information Security Team by submitting the form at the bottom of this page. Imperva will review the submission to determine if the finding is valid and has not been previously reported. At Imperva’s discretion, you may be eligible for monetary compensation for your efforts. We require security researchers to include detailed information, including step-by-step instructions, that allows us to reproduce the vulnerability.

Our Commitment:

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Imperva commits to:

  • Working with you to understand and validate the issue, and
  • Addressing the risk (if deemed appropriate by Imperva).

Noncompliance:

Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Imperva will deem the submission as noncompliant with this Responsible Disclosure Policy. This form is not intended to be used by employees of Imperva or Imperva subsidiaries, by vendors currently working with Imperva or Imperva subsidiaries, or residents of countries on the U.S. sanctions list.

In addition, to remain compliant you are prohibited from:

  • Accessing, downloading, modifying, or disclosing any data other than your own data, including, without limitation, any Imperva customer information;
  • Executing or attempting to execute any “Denial of Service” attack;
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software;
  • Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages;
  • Testing in a manner that would degrade the operation of any Imperva products, services, systems, or networks;
  • Testing third-party applications, websites, or services that integrate with or link to Imperva applications, systems, and/or networks; and
  • Engaging in any illegal activity. 

Please fill out the form below if you have a security issue you wish to report to Imperva’s Security Team. 

We Partner with Bugcrowd: 

Our responsible disclosure process is hosted by Bugcrowd.  If you already have an account on BugCrowd under that email, we will be able to communicate and work together on that platform.

Safe Harbor:

When conducting vulnerability research according to this Policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this Policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under and in compliance with this Policy; and
  • Lawful and helpful to the overall security of the Internet, and conducted in good faith.

Please note that, notwithstanding any other term of this Policy, you are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please inquire via infosec@imperva.com before going any further.