Vulnerability Disclosure Policy for Fortress MSSP LLC
At Fortress MSSP, security is our discipline — not just our business. We take the security of our web properties seriously and welcome responsible reports from the security community. If you discover a vulnerability in our systems, we ask that you follow this policy and give us the opportunity to address it before any public disclosure.
This policy applies to the following in-scope assets:
Any assets or systems not explicitly listed above are out of scope. Do not test systems belonging to our clients, partners, or infrastructure providers.
The following activities are explicitly out of scope and will not be considered for acknowledgement. Engaging in these activities may forfeit safe harbor protections:
To report a vulnerability, send an email to our dedicated security address:
Security Contact
[email protected]Please include as much of the following information as possible to help us triage and validate your report efficiently:
When you submit a vulnerability report in good faith and in accordance with this policy, Fortress MSSP commits to the following:
Acknowledgement within 2 business days
We will send an initial acknowledgement confirming receipt of your report within two (2) business days.
Prompt investigation
We will investigate reported vulnerabilities promptly and keep you informed of our progress. Complex findings may require additional time; we will communicate expected timelines.
Transparent communication
We will notify you when the vulnerability has been validated, when remediation is in progress, and when it has been resolved.
No legal action for good-faith research
We will not pursue civil or criminal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy, and without exceeding the scope defined herein.
Credit and acknowledgement
If you wish to be credited for your finding in our security acknowledgements, we will honor that request. If you prefer to remain anonymous, we will respect that too.
Fortress MSSP supports good-faith security research conducted in accordance with this policy. We consider activities meeting all of the following criteria to be authorized:
Important: Safe harbor protections do not apply to activities that exceed the defined scope, cause service disruption, access or exfiltrate data beyond what is necessary to demonstrate the vulnerability, or involve systems belonging to third parties. Fortress MSSP reserves the right to pursue appropriate legal remedies for unauthorized access or malicious activity.
We request that researchers allow Fortress MSSP a reasonable period to investigate and remediate reported vulnerabilities before any public disclosure. We aim to resolve critical and high-severity findings within 30 days and medium or lower-severity findings within 90 days. If a finding requires more time due to complexity or dependency on third parties, we will communicate this and agree on a disclosure timeline collaboratively.
Looking for a structured security assessment rather than a one-off report?
Get Your Risk Assessment