Foxit Vulnerability Disclosure Policy

Contact Information

If you believe you have found a security vulnerability in a Foxit product or service, please contact us:

• Email: [email protected]
• PGP Key

We encourage encrypted communication for sensitive reports.

Scope

We accept vulnerability reports for:

• All Foxit-developed products and services currently supported and distributed.
• Web services and platforms operated by Foxit (e.g., foxit.com).

We do not accept vulnerability reports for:

• Third-party software or plugins not developed by Foxit.
• Vulnerabilities in third-party services or libraries independently used by others.
• End-of-life products no longer supported.

If a vulnerability is discovered in a third-party component embedded in a Foxit product, we will coordinate with the upstream vendor for responsible handling and remediation.

Response Process

Upon receiving a vulnerability report, we will:

• Acknowledge receipt within 5 business days.
• Validate and assess the impact of the vulnerability.
• Keep the reporter informed of progress and mitigation plans.

Disclosure Timeline

We follow the principle of coordinated vulnerability disclosure:

• Confirmed Foxit vulnerabilities will be publicly disclosed only after the corresponding fix has been released to customers.
• Internal tracking is maintained for all confirmed vulnerabilities to manage remediation efficiently.
• Where appropriate, we may also share information about confirmed vulnerabilities with relevant vulnerability management communities to ensure the issue is properly recorded and communicated.
• For vulnerabilities identified in third-party software used within Foxit products, we will notify the affected vendor and support coordinated remediation, but we do not control the timing of their disclosures.

Recognition and Attribution

If you wish, we will acknowledge your contribution in our security advisories. Alternatively, we respect requests for anonymity.

We may offer credit on our website, depending on the nature of the vulnerability.

Note: Recognition refers to acknowledging your contribution, and Attribution refers to publicly naming the researcher.

Safe Harbor

Foxit will not pursue legal action against individuals who:

• Conduct security research in good faith.
• Follow the principles of responsible disclosure.
• Avoid unauthorized data access, service disruption, or privacy violations.

Responsible Disclosure Guidelines

To help us address vulnerabilities effectively and responsibly, we kindly ask researchers to:

• Allow Foxit a reasonable amount of time to investigate and fix the reported issue before sharing it publicly or with a third party. We strive to resolve critical issues as quickly as possible.
• Take care to avoid actions that could violate privacy, damage data, or interrupt/degrade Foxit’s services.

Prohibited Activities

The following actions are strictly prohibited during security research:

• Performing activities that may negatively impact Foxit or its users (e.g., spam, brute force, denial of service).
• Accessing, or attempting to access, destroying or corrupting, attempting to destroy or corrupt, data or information not belonging to you.
• Conducting any physical or electronic attack on Foxit personnel, property, or data centers.
• Engaging in social engineering against any Foxit service desk, employee, or contractor.
• Violating any laws or breaching any agreements to discover vulnerabilities.

Publication

Confirmed and remediated vulnerabilities will be published on:

• Our security advisory page: https://www.foxit.com/support/security-bulletins.html.
• Relevant industry vulnerability management platforms, where appropriate.

Note: Certain issues, such as site misconfigurations or findings identified solely by automated scanning tools, may be addressed internally but will not be published as separate advisories.