Responsible Disclosure Policy

WatchGuard Product Security Incident Response Team (PSIRT)

The WatchGuard PSIRT organization is responsible for vulnerability and security incident management for issues involving WatchGuard products and services. The PSIRT organization handles communications with third party researchers and internal stakeholders through the vulnerability management process from receipt and investigation through disclosure.

Report a Vulnerability to WatchGuard

Individuals and organizations can report a vulnerability to WatchGuard by following the detailed instructions on the Report a Vulnerability page.

WatchGuard Responsible Disclosure Policy

WatchGuard believes in following a responsible disclosure process for potential security issues. We are committed to working with external security researchers to quickly and effectively identify, resolve, and disclose potential flaws. If you have identified a potential security issue, please report it to our security team by following the instructions on the Report Vulnerability page of our PSIRT portal (link). Please include as much detail in your report as possible to aid in confirming and resolving the issue (for example, reproducible steps or a working proof-of-concept).

We encourage good-faith vulnerability research and ask that you:

  • Report any vulnerability you’ve discovered promptly, through the appropriate confidential communications channels.
  • Keep your findings confidential until we have had an opportunity to confirm and resolve the issue.
  • Refrain from doing any harm – such as accessing accounts or private information owned by other users without explicit permission from the account holder and WatchGuard.
  • Avoid any action that might cause a service disruption or violate the privacy of others or our terms of use.


  • WatchGuard Firebox (physical and virtual)
  • WatchGuard AP Wireless Access Points
  • WatchGuard AuthPoint Mobile App (iOS & Android)
  • WatchGuard Endpoint Security (EPDR, Panda AD360, Panda Dome)
  • WatchGuard Cloud Endpoints (*
  • Panda Security Endpoints (,

Safe Harbor

In return for your good faith research abiding by our responsible disclosure process, we commit to:

  • Not pursue any legal action related to your research;
  • Promptly work with you to understand and resolve the issue identified by your research

Out of Scope

In the interest of our users' safety and privacy, the following test types and vulnerability locations are out of scope:

  • Any issue derived or involving social engineering a WatchGuard employee, partner or customer
  • Issues discovered in systems or products not listed in the Scope section including non-WatchGuard systems
  • General software bugs without a demonstrated security impact

Vulnerability Scoring System

WatchGuard PSIRT uses the Common Vulnerability Scoring System (CVSS) Version 3.1 to calculate vulnerability severity.

Vulnerability Report SLA

CVSS Base Score Severity Rating Disclosure Resolved Builds
9.0 - 10.0 Critical Security Advisory Required Resolved In All Non-EOL Products
7.0 - 8.9 High Security Advisory Required Resolved In All Non-EOL Products
4.0 - 6.9 Medium Security Advisory Required Resolved In All Non-EOL Products
0.0 - 3.9 Low Security Advisory Optional Resolved In All Non-EOS Products