Vulnerability Disclosure Policy

1. Introduction

The FUJI SOFT INCORPORATED Vulnerability Disclosure Policy outlines our commitment to responding promptly and appropriately to vulnerabilities, ensuring customer security, and maintaining the highest standard of integrity through transparent information disclosure. We share and disclose vulnerability information in accordance with the Information Security Early Warning Partnership Guidelines issued by the Information-technology Promotion Agency, Japan (IPA) and, as needed, consult with the IPA and Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).

This policy defines the reporting channels and response procedures for security vulnerabilities discovered in our products, as defined in Section 2. Scope of Application.

2. Scope of Application

This policy applies to Company products listed on the following webpage (Japanese-language only):
https://fsi-plusf.jp/products/
Please note that the Company’s vulnerability disclosure policy does not apply to Fuji Soft products that have been modified by customers.

3. Reporting a Vulnerability

Please use the following contact information to report vulnerabilities for Fuji Soft products.
Report product vulnerabilities (Japanese-language only)

4. Report Response Process

・ Receive report

・ Issue an email notification acknowledging receipt of the report.

・ Respond within five business days. Responses may take longer during designated Company non-business periods, such as the year-end and New Year holidays, Golden Week, and the summer vacation period.

・ Confirmation

・ The Product Development Department will confirm the existence of the reported vulnerability and may request additional information.

・ Confirmation results will, in principle, be communicated to the reporter.

・ Please note that confirmations will not be conducted for products whose specified support period has expired.

・ Correction and disclosure

・ Confirmed vulnerabilities will be promptly remediated.

・ When an vulnerability is confirmed, we will consult with the IPA and JPCERT/CC in accordance with the Information Security Early Warning Partnership to implement appropriate remediation, including reporting to the Japan Vulnerability Notes (JVN) and Common Vulnerabilities and Exposures (CVE) databases.

・ Once preparations are complete, the information will be disclosed on the Company website on a release date decided agreed upon with the reporter and related parties, in line with the Principle of Uniform Disclosure Date.

5. Other

Provided that the reporting party investigates and reports in good faith and within the scope of this policy, the Company will consider such actions to have been carried out in good faith and will not hold the reporting party legally liable.