Artifex takes the security of our software products very seriously. We are committed to quickly resolving vulnerabilities to protect the security of our customers and the open source software community. This document describes Artifex’s policy for receiving reports related to potential security vulnerabilities in its products and the company’s standard practice with regard to informing customers of verified vulnerabilities.
We strongly believe in, and support, a coordinated approach to vulnerability disclosure as set forth by the Computer Emergency Response Team (CERT) at Carnegie Mellon’s Software Engineering Institute. Information on coordinated disclosure can be found in the Guide to Coordinated Vulnerability Disclosure. Artifex believes that coordinated and responsible disclosure is in everyone’s best interest and we strongly urge you to adhere to these guidelines when submitting vulnerabilities.
When to contact Artifex about a security vulnerability
If you have identified a potential security vulnerability in MuPDF please report the bug confidentially through our secure reporting system.
After your incident report is received, the appropriate personnel will contact you to follow-up. Artifex attempts to acknowledge receipt to all submitted reports as appropriate.
We request that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Artifex until we’ve had 90 days to resolve the issue.
Receiving security information from Artifex
Technical security information about our products is distributed through several channels.
- Artifex distributes information to customers about security vulnerabilities via e-mail. In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability though there can be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.
- As each security vulnerability case is different, we can take alternative actions in connection with issuing security notices. Artifex can determine to accelerate or delay the release of a notice or not issue a notice at all. Artifex does not guarantee that security notices will be issued for any or all security issues customers can consider significant or that notices will be issued on any specific timetable.
- Security-related information can also be distributed by Artifex to public newsgroups or electronic mailing lists. This is done on an ad hoc basis, depending on how Artifex perceives the relevance of each notice to each particular forum.
- Artifex works with the formal incident response community to distribute information. Many company security notices are distributed by regional CERT at the same time that they are sent through company information distribution channels.
All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.
Information on our Bug Bounty Program can be found here.
Artifex adheres to ISO/IEC 29147:2018
Use of the information constitutes acceptance for use in an AS IS condition. There are no express or implied warranties or assurances with regard to this information. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Policy last revised: October 25, 2018