Security & Compliance

Commitment to security

Devolutions Inc. is committed to be a leader in providing the safest products and services on the market for remote access and password management software. This commitment is driven by and aligns to the organization’s core values to promote transparency of our practices, to share with others and to deliver above expectations.

Our security program, led by the Chief Security Officer and overseen by the Executive Committee and the Board of Directors, covers three fundamental practices:

• Governance and transparency (GovSec)
• Operational cyber risk and incident management (OpSec)
• Development lifecycle security management (DevSec)

The program is managed and operated by Devolutions-owned and highly qualified information security team working hard every day to meet the objectives of our commitment requirements and above.

Information available below is only the visible tip of the iceberg on the ongoing efforts led by our commitment to security. More will be available over time and our team always remains available for any security-related question at security@devolutions.net.

Reporting a Security Issue

While we do take care of the security of our products, the fast-changing nature and complexity of security may inadvertently expose our software or supporting infrastructure to vulnerabilities. If you identify such a vulnerability, please send us your report in a timely manner at security@devolutions.net. The report should include the following items:

• Proof-of-concept code and relevant screenshots to help us confirm and reproduce findings.
• Justification of how the impacts may affect our organization and/or customers if exploited.
• Proposed fix, if possible and applicable.

Once submitted, allow us a reasonable time frame to provide some feedback. Our security team must:

• Reproduce and confirm the vulnerability as described in your report.
• Establish a severity score according to CVSS 3.1.
• Consider the recommendations from your report and build an action plan with relevant teams.
• Maintain communication with the reporter until the case is resolved.

We kindly ask to maintain the report and its content confidential until the appropriate corrective measures are released in production. Please also note that exploiting a reported vulnerability abusively or for illegal, malicious or other inappropriate purposes may result in legal prosecutions against the reporter, which could lead to civil or criminal liability. An action is considered abusive or inappropriate when its purpose compromises customer-related or internal confidential information in an undue or disproportionate manner, or when such an action has some other aim than the demonstration of a vulnerability.