Vulnerability Disclosure Policy

Effective as of June 30, 2010

This document outlines Rapid7's disclosure policy as it relates to vulnerabilities identified by Rapid7 staff in the course of company-sponsored research. Upon identification of a security vulnerability, Rapid7 will attempt to contact the appropriate product vendor by email and telephone. Fifteen days (15) days after notification to the product vendor, Rapid7 will report the vulnerability to the Carnegie Mellon Computer Emergency Response Team (CERT), whether or not the product vendor has responded to Rapid7. Based on CERT's own disclosure policy, CERT will publish an advisory related to the vulnerability approximately forty-five (45) days (more or less depending on extenuating circumstances) to the general public. At this time, Rapid7 may provide our customers with product updates for the purpose of detecting and remediating this vulnerability.

If you would like to report a security vulnerability in one of Rapid7's products, please write to You may use our PGP Key, KeyID: 8AD4DB8D.