Vulnerability Disclosure Policy

This policy is intended to provide security researchers with information on how to report discovered vulnerabilities to FUJIFILM Business Innovation.
The following process is based on ISO/IEC 29147.

How to Report a Vulnerability

Please access the following form to report a vulnerability regarding our products.

Vulnerability report form

Please be sure to fill out the following items in the form.

  • Contact information (first name, last name,email address)
  • Product name(s)
  • Software/Firmware version(s)
  • Details (please include the possible cause and procedure to reproduce the vulnerability)

Please describe in English.

NOTE: We would also like you to send the following information as much as possible, after we respond to you and start our communication. Please use the PGP key.

  • Proof of concept (PoC) scripts
  • Screenshots
  • Names of the tool(s) required for reproduction

Scope

This policy applies to Fuji Xerox and FUJIFILM Business Innovation products such as multifunction devices, printers, production printers, software, and cloud services.
Products that we do not support (trial versions and products that are no longer supported) are excluded from scope.

Our response

Within five business days from the day we received the vulnerability report, we will contact your email address specified in the form. During the period of our holidays (such as New Year holidays, summer holidays, Japan’s national holidays, etc.), the reply may be delayed.

We will contact you again after we confirm whether the vulnerability exists in our products. If the vulnerability exists, we would like to coordinate the schedule of the fix and the publication of the security advisory with you.

Publication of the security advisory

We will coordinate the publication schedule with you and other related members and post the security advisory on the following page on our company website or the support page for each product available for registered users only as promptly as possible.

Important notices about our products

Rewards

Regardless of the content of the report, we do not offer rewards.