RE: Citrix vulnerability disclosure/bug reports contact

["Arian J. Evans" <arian.evans () bigfoot com>]

> Does anyone know where to send citrix bug reports?

Citrix prefers official support to go through either
a channel reseller (CCA/CCEA's at VARs can open calls),
or direct calls from someone with a support contract.

support@ and security@ are valid email addresses at
Citrix, but seldom responded to IME.

For general issues/bug reports, Citrix will direct you
to their public support forum:

http://ctxex10.citrix.com/icaforum.nsf/($All)?OpenView

<*personal experiences w/Citrix*>

I ran into several security quirks regarding application
authentication issues while beta-testing nFuse, and had
no luck getting Citrix support to address them, other
than open a case and never respond. FWIW, I was at a Citrix
VAR at that time and had direct support, and still made
no difference. I have not used nFuse since it went 1.0,
so I can provide no further input.

You can contact their support directly at: 800-424-8749
if you wish to pursue further; YMMV.

I called Citrix support directly on this tonight and
could find no one who had an answer on what to do with
a vulnerability disclosure, other than posting it in
their public forums. I got transferred until disconnected,
called back, and was then put on hold for over 30 mins
until I hung up. That's all the effort I'm willing to
put out for them. Good luck; responsible reporting.

Arian J. Evans
Citrix CCA Winframe, Metaframe
and other sheepskins