Security is of utmost importance to ExtraHop, and we value the input of security researchers acting in good faith to help us maintain a high standard for the security and privacy of our customers. To this end, we welcome responsible vulnerability research and disclosure. This policy describes our expectations of ourselves and others regarding vulnerability disclosures.

Security Researchers

ExtraHop accepts vulnerability reports from all sources such as independent security researchers, industry partners, vendors, customers and consultants. ExtraHop defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services.

Scope

This policy applies to any digital assets owned, operated, or maintained by ExtraHop, including public facing websites such as www.extrahop.com.

Out of Scope

• Community or Customer Forums
• Job Board/Careers page
• Missing HTTP headers
• Clickjacking
• SSL/TLS cipher configuration
• Self-XSS
• Social engineering of ExtraHop employees, contractors, vendors, or service providers
• Physical attacks against ExtraHop employees, offices, or data centers
• Unsolicited bulk messages (spam) or unauthorized messages
• Missing SPF/DKIM/DMARC issues
  
  

Our Commitment to Researchers

• Respect. We will treat all researchers with respect and recognize your contribution for improving the security of ExtraHop and its customers.
• Trust. We will maintain trust, confidentiality and professionalism in our interactions with security researchers.
• Public Interest. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a disclosed vulnerability.
• Transparency. We will work with you to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy.
  
  

What We Ask of Researchers

• Respect. We request that researchers use best efforts to avoid privacy violations, negative user experience, disruptions to systems, or destruction or modification of data during security testing.
• Trust. We request that you disclose potential vulnerabilities in a responsible manner, providing enough time and detail for our team to validate and address potential issues.
• Public Interest. We request that researchers act for the common good, protecting user privacy and security by not publicly disclosing vulnerabilities without express approval from the ExtraHop Security team.
• Transparency. We request that researchers provide the technical details and background necessary for our team to identify and validate reported issues, including locations, descriptions, examples, steps, impacts, and attachments as appropriate.
  
  

Vulnerability Reporting

ExtraHop recommends that security researchers share the details of any suspected vulnerabilities across assets owned, controlled, or operated by ExtraHop (or that would reasonably impact the security of ExtraHop or its customers) using the email alias “security@extrahop.com”. The ExtraHop Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution.