Security Policy

Our Commitment to Security

At Multifactor, security is fundamental to our public benefit mission of reinventing zero trust for the modern web. We are committed to protecting our users, our products, and our infrastructure against threats. The trust of our users is paramount, and we hold ourselves to the highest standards to maintain it.

This policy is designed to be a transparent guide for security researchers to responsibly disclose vulnerabilities and for our users to understand our security practices. We believe that a collaborative relationship with the security community is essential for achieving our security goals.

Responsible Disclosure Guidelines

We encourage and value security research on our services and products. If you believe you have found a security vulnerability in any Multifactor offering, we ask that you follow these guidelines to report it to us.

Our Commitment to Researchers (Safe Harbor): If you conduct your security research and vulnerability disclosure activities in compliance with this policy, Multifactor commits to the following:

  • We will not initiate legal action or a law enforcement investigation against you in response to your report.
  • We will work with you to understand and validate your report, including giving you a projected timeline for remediation.
  • We will publicly recognize your contribution to our security, if you wish.

Rules of Engagement: To promote the safety of our users, our data, and the availability of our services, we ask that you act in good faith and:

  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data. Only interact with test accounts you own or with explicit permission from the account holder.
  • Do not access, exfiltrate, or store any user or company data. Your research should cease immediately if you encounter any non-public data.
  • Do not engage in social engineering (e.g., phishing, vishing) or physical attacks against Multifactor employees, offices, or data centers.
  • Provide us a reasonable amount of time to resolve the issue before any public disclosure.

Activities conducted outside of this policy may be viewed as non-compliant. We unequivocally do not condone or authorize any research that involves unauthorized intrusions into our systems, attempts to access private data, or actions that could impact the reliability of our services. Such activities are strictly prohibited.

How to Submit a Security Report

If you have discovered a security vulnerability, please share the details with us by sending an email to [email protected].

To help us validate and triage your finding more effectively, please include the following in your report:

  • Type of issue: (e.g., Cross-Site Scripting, SQL Injection, Remote Code Execution)
  • Product and Version: The product name and version number affected.
  • Detailed Steps to Reproduce: A step-by-step guide to reproduce the vulnerability, including any necessary proof-of-concept code, scripts, or screenshots.
  • Potential Impact: Your assessment of the potential impact of the vulnerability.
  • Contact Information: Your name and a way to contact you.

Our Process and What to Expect

  1. Acknowledgement: We aim to provide an initial acknowledgement of your report within two (2) business days for critical reports, or five (5) business days for most other reports.
  2. Triage & Validation: We will investigate your report to validate the vulnerability. We may contact you for additional information if needed.
  3. Remediation: If the vulnerability is validated, our engineering team will work to remediate the issue. We aim to fix critical issues in a timely manner, in line with industry best practices.
  4. Notification: We will notify you once the vulnerability has been resolved. We ask for your cooperation in not disclosing the vulnerability publicly until after it has been fixed.

Scope

This policy applies to security vulnerabilities found in:

  • Multifactor's commercial products and services.
  • Our open-source software offerings.

We only provide official support and remediation for the latest major version of our software. Vulnerabilities affecting unsupported or outdated versions may not be eligible for acknowledgement or reward.

Out of Scope: The following are considered out of scope for our responsible disclosure program:

  • Vulnerabilities in third-party services or vendors used by Multifactor.
  • Findings from physical testing or social engineering.
  • Denial of Service (DoS or DDoS) vulnerabilities.
  • Spam, phishing, or missing security headers that do not lead to a direct vulnerability.
  • Reports of non-exploitable vulnerabilities or those related to outdated software/browsers.

Recognition and Rewards

We deeply appreciate the efforts of security researchers who work to make our digital world safer. While we do not currently operate a formal bug bounty program, we believe in recognizing the valuable contributions of those who help us protect our users.

For legitimate and responsibly disclosed vulnerabilities, we frequently offer discretionary rewards, exclusive Multifactor swag, and acknowledgement on our public blog or social media channels as tokens of our gratitude. Eligibility for any of these rewards is at our sole discretion. Thank you for helping us maintain the security and integrity of Multifactor.