Welcome to Palo Alto Networks Responsible Disclosure
Responsible Disclosure Policy:
This page is for security researchers interested in reporting security vulnerabilities relating to any non-product vulnerability impacting Palo Alto Networks (like www.paloaltonetworks.com). To report a product vulnerability return to Palo Alto Networks Security Disclosures page for instructions. If you are unsure, just submit here.
You will be recognized for your finding on Palo Alto Networks researcher acknowledgement page, as well as Responsible Disclosure Acknowledgments page, if the following requirements are met:
- You report an issue determined to be within program scope
- You have followed program guidelines
- It is determined to be a valid security issue, and
- After a fix has been issued
Typical Vulnerabilities Accepted:
- OWASP Top 10 vulnerability categories
- Other vulnerabilities with demonstrated impact
Typical Out of Scope:
- Theoretical vulnerabilities
- Informational disclosure of non-sensitive data
- Low impact session management issues
- Self XSS (user defined payload)
For a full list of program scope please visit the Responsible Disclosure details page.
Responsible Disclosure Guidelines:
- Adhere to all legal terms and conditions outlined at responsibledisclosure.com
- Work directly with ResponsibleDisclosure.com on vulnerability submissions
- Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
- Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
- Do not engage in social engineering or phishing of customers or employees
- Do not request compensation for time and materials or vulnerabilities discovered