With its 25-year experience as a member of the Free Software and Open Source communities, AdaCore acknowledges that openness and transparency are real security assets, and that the community is a force multiplier in its endeavour to provide safe and secure products to its customers.
Therefore we encourage the contributions of our customers, hobbyists and security researchers pertaining to the security of our products and commit to provide the best vulnerability disclosure experience possible.
This program applies to:
- all products marketed by AdaCore, including but not limited to: GNAT Pro Assurance, Enterprise, Developer and Community editions, SPARK Pro, CodePeer, QGen, and any add-on thereto, including the baselined versions. We do not support phased out versions as we are not able to reproduce issues.
- all projects officially supported by AdaCore on GitHub, or any other community repository.
- third party software dependencies thereto that do not belong to the scope of another CVE Numbering Authority.
- all web sites and on-line services maintained by AdaCore.
As a software development tool vendor, we focus on security issues in our products that can affect the security of our customers’ code. Therefore we will pay specific attention to submissions concerning insecure behaviour of the code generated with our tools and libraries we provide.
Within this scope, issues causing privilege escalation on the target operating system, illegal memory access, undefined behaviors, allowing execution of arbitrary code, or compromise compiler or library features specifically designed to be used for security purposes (such as a random number generator) are of special concern; however, this list is not exhaustive and all security issues should be reported.
Please send your submission as follows:
- If you are an AdaCore customer, please use firstname.lastname@example.org or GNAT Tracker to report any
vulnerability you have found.
- If you are not an AdaCore customer, please use email@example.com.
When submitting a vulnerability, please provide the following information:
- affected product(s), including their version number, host and target operating systems and hardware platforms. If the vulnerability affects several products, please list all the affected products you are aware
- concise steps to reproduce the security issue. If your report does not include sufficiently detailed information, we will not be able to process it correctly.
Your submission will be reviewed and validated by a member of our security team. If our team assesses that your submission reveals a vulnerability, we will make our best effort to bring your issue to resolution and, in any event, disclose it to the public as described below.
If multiple reports pertaining to the same vulnerability are submitted, we will process the first report that was received and mark subsequent reports as duplicates.
AdaCore will make every effort to meet the following service levels when processing submissions:
|Type of Response||Timing in business days|
|Initial Acknowledgement||1 day|
|Initial response assessing the severity and complexity of the issue||2 days|
|Resolution||Contingent on severity and complexity|
Throughout the process, we will make a reasonable effort to keep you apprised of our progress.
AdaCore defines "resolution" as follows:
- A decision is made to fix the problem in future versions of the products; or
- For non severe vulnerabilities, a decision is made to only document the vulnerability; or
- A decision is made to document a workaround to avoid the vulnerability.
You acknowledge that AdaCore’s customers operate in sensitive industries with safety and security concerns, where deploying security fixes may take several months.
As soon as we identify that your submission reveals a vulnerability and a resolution is found, we will reserve a CVE entry and inform our affected customers, leaving them a reasonable period of time to deploy the resolution. At the expiry of this period, which shall be no more than 90 days after we have received the submission, we will disclose the vulnerability on the MITRE CVE database and on our Web site.
By submitting a vulnerability under this program, you agree to not share with third parties information pertaining to the vulnerability until the later of:
- a resolution has been made available and communicated to affected AdaCore customers, and a CVE added to the MITRE database
- a period of 90 days has elapsed since your submission
This program does not provide monetary rewards for bug submissions. However, any security advisory we publish will give credit to all persons or organizations who independently report the issue to AdaCore before disclosure.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and AdaCore will not initiate legal action against you. In addition, should a third party take legal action against you on the grounds that you conducted these activities we will take steps to make it known that your actions were conducted in compliance with this policy.
- Whenever applicable, please use the account(s) you control for testing or research purposes, and do not attempt to gain access to another user’s account, production system or confidential information.
- Do not store, share, compromise, or destroy AdaCore’s data or data of AdaCore’s customers, including personally identifiable data or personal data. Instead, immediately stop your activity, delete such data from your system, and contact AdaCore.
- Activities involving social engineering, spam and denial of service are not considered lawful activities under this program.
- More generally, please do not engage in any activity that can potentially or actually cause harm to AdaCore, our customers, or our employees, nor in any activity that violates the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) you are conducting research activities.