Devolutions security
bug bounty program
Devolutions Inc. is dedicated to performing exceptional due diligence when developing and delivering solutions, in order to prevent and mitigate threats that may have a negative impact upon our customers' data, and upon our ability to provide safe, reliable, and compliant products and services. To achieve this critical objective, we employ industry-leading frameworks, standards, controls, processes, and best practices, including our private Bug Bounty Program.
About the program
Transparency is a core fundamental value at Devolutions, as it fosters healthy relationships, establishes trust, and promotes a culture of openness, improvement and innovation. Our bug bounty program, which is rooted in our commitment to transparency, encourages researchers to try to “attack and break” our products, so that we can proactively fortify vulnerabilities and fix coding/programming errors.
Please note that at this time, enrollment in our bug bounty program is by invitation only.
Responsible disclosure
We continuously encourage researchers and customers to report identified vulnerabilities. To better protect our customers, reports remain confidential until vulnerabilities have been confirmed, resolved and released into production by Devolutions. We strive to do our best to address vulnerabilities within a reasonable and industry-acceptable timeframe.
Reporting a security issue
While we do take care of the security of our products, the fast-changing nature and complexity of security may inadvertently expose our software or supporting infrastructure to vulnerabilities. If you identify such a vulnerability, please send us your report in a timely manner at security@devolutions.net. The report should include the following items:
- Proof-of-concept code and relevant screenshots to help us confirm and reproduce findings.
- Justification of how the impacts may affect our organization and/or customers if exploited.
- Proposed fix, if possible and applicable.
Once submitted, allow us a reasonable time frame to provide some feedback. Our security team must:
- Reproduce and confirm the vulnerability as described in your report.
- Establish a severity score according to CVSS 3.1.
- Consider the recommendations from your report and build an action plan with relevant teams.
- Maintain communication with the reporter until the case is resolved.
We kindly ask to maintain the report and its content confidential until the appropriate corrective measures are released in production. Please also note that exploiting a reported vulnerability abusively or for illegal, malicious or other inappropriate purposes may result in legal prosecutions against the reporter, which could lead to civil or criminal liability. An action is considered abusive or inappropriate when its purpose compromises customer-related or internal confidential information in an undue or disproportionate manner, or when such an action has some other aim than the demonstration of a vulnerability.
Rewards
Researchers are rewarded for reported vulnerabilities* in three important ways:
Once a vulnerability is fixed and a patch is released to production, researchers can publicize their discovery and contribution on their blog/social media pages. Doing this elevates their profile and standing in the IT & IT security communities and may support career advancement goals.
We offer financial rewards** based on the severity of each reported vulnerability using the CVSS 3.1 standard. For high-risk issues (e.g. exploitable high/critical), researchers can earn up to $1,500.00 per issue (USD).
From time to time, we may also provide participating researchers with Devolutions-branded merchandise.
*A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users and other entities that rely on the application.
**Payout amounts vary according to the quantity of vulnerabilities or affected components, as well as the overall quality of the report.
How to enroll
At this time, enrollment in our bug bounty program is by invitation only. Invitation codes will be provided to security researchers and customers at various events throughout the year (e.g. Hackfest, NorthSec, etc.). If you have received your invitation code, email us (referencing your code) at security@devolutions.net. for enrollment instructions.
By registering for our bug bounty program, you authorize us to communicate with you by email to respond to your submissions, requests and inquiries, and for other purposes related to the management of the program or your participation in the program in general.