Optimizely is committed to providing secure products and services. Part of this commitment is performing ongoing security assessments, such as vulnerability assessments, risk assessments, and third-party penetration tests, to determine the presences of threats and vulnerabilities within the products and services Optimizely offers. This article is intended to communicate what type of security assessments Optimizely is conducting, what type of security assessments you as a customer are allowed to conduct and describe how you can submit findings to Optimizely.
What Optimizely is Doing
Optimizely conducts routine security assessments in order to identify vulnerabilities and risk within all of Optimizely's products and services. All findings are then evaluated through Optimizely's vulnerability management processes. This evaluation is critical in order to determine real world risk, which has a direct impact on the prioritization that Optimizely assigns to the remediation strategy for a finding. Optimizely does not share any specifics of the security assessments that it conducts and will instead reference audits conducted by trusted third-parties to provide you with assurance that security assessments are taking place.
Due to the possible impact that security assessments may have on the integrity and availability of Optimizely's environments, all hosted production sites are prohibited from having vulnerability assessments or penetration tests on products and services that are hosted within an Optimizely-managed environment. Please only perform vulnerability assessments or penetration tests on sandbox sites.
On-premises customers are permitted to conduct any type security assessment on Optimizely products that are completely hosted within their own managed environment. SDK customers must ensure the scope of the security assessment does not include the SDK portion that is hosted by Optimizely.
If you identify a finding through a security assessment, you can communicate the finding to Optimizely via the Customer Support portal. Optimizely will then evaluate the finding through the vulnerability management processes and determine next steps. This could include the submission of a bug fix or product enhancement request, which Optimizely will prioritize based on the identified risk level.
Security penetration tests should only be performed against the latest version of code.
- Optimizely routinely conducts a variety of security assessments and will resolve any identified finding per the vulnerability management processes. This should satisfy most requirements that you may have in regard to conducting security assessments on critical products and services.
- A particular finding may not always be directly related to an Optimizely product or service and may instead by related to the unique configurations or integrations that exist within your environment. In these circumstances, Optimizely may provide recommendations, but it is ultimately up to you to decide how to remediate the finding.
- There are always various methods to reduce the risk of a particular finding. This could include the introduction of security controls that reduce the impact or probability of a finding from being exploited. Optimizely will always evaluate security findings based on real world risk and recommend a variety of remediation strategies that are designed to reduce the risk and may not necessarily be designed to completely eliminate the root cause of a finding.