Vulnerability Reporting Guidelines
Thank you for working with Tenable to help ensure we can provide a timely response to any security issues in our products. We are committed to working with researchers to fully understand an issue and providing a resolution to resolve it.
To ensure that we have the information required to properly evaluate a reported issue, Tenable asks that you include the following information in any bug report:
- Any vulnerability database identifier you have requested. If you have not requested a CVE identifier, indicate if you would like us to request one.
- The affected product or resource (e.g. Nessus, SecurityCenter, LCE, PVS, Tenable web site), the version of the software, and the platform you are using (e.g. Windows 7, Debian Linux).
- A description of the issue explaining the vulnerability, including the impact to the user(s) or system. This should clearly describe how the issue crosses privilege boundaries.
- Any caveats or conditions required to exploit the issue. Indicate if there are any non-default system settings, custom configurations, required user interaction, or anything else that would limit the attack.
- A proof-of-concept or functional exploit that demonstrates the issue. Please note that injecting an HTML tag does not necessarily mean it is vulnerable to cross-site scripting, and injecting a single backtick (`) does not necessarily mean it is vulnerable to SQL injection. If a proof-of-concept is not available, please include any relevant proxy logs generated from your testing.
During the process, Tenable will stay in touch with you to keep you updated on our status for resolving the issue. If the issue you reported is determined to be valid, and affects one of our products, an advisory will be published when a solution is available for our customers. Please indicate how you would like to be credited in the advisory (name, company or affiliation, etc).
Have a Vulnerability to Report?
Please read the vulnerability reporting guidelines before submission.Contact Us