Security & Compliance
Reporting a Security Issue
While we do take care of the security of our products, the fast-changing nature and complexity of security may inadvertently expose our software or supporting infrastructure to vulnerabilities. If you identify such a vulnerability, please send us your report in a timely manner at security@devolutions.net. The report should include the following items:
- Proof-of-concept code and relevant screenshots to help us confirm and reproduce findings.
- Justification of how the impacts may affect our organization and/or customers if exploited.
- Proposed fix, if possible and applicable.
Once submitted, allow us a reasonable time frame to provide some feedback. Our security team must:
- Reproduce and confirm the vulnerability as described in your report.
- Establish a severity score according to CVSS 3.1.
- Consider the recommendations from your report and build an action plan with relevant teams.
- Maintain communication with the reporter until the case is resolved.
We kindly ask to maintain the report and its content confidential until the appropriate corrective measures are released in production. Please also note that exploiting a reported vulnerability abusively or for illegal, malicious or other inappropriate purposes may result in legal prosecutions against the reporter, which could lead to civil or criminal liability. An action is considered abusive or inappropriate when its purpose compromises customer-related or internal confidential information in an undue or disproportionate manner, or when such an action has some other aim than the demonstration of a vulnerability.