Vulnerability Disclosure Policy

As a provider of security software, services, and research, we take security issues very seriously and recognize the importance of privacy, security, and community outreach. As such, we strive to provide back to the security community through a coordinated and reasonable disclosure philosophy.

We count on everyone: the people who use Rapid7 software and services (you’re awesome!), the software developers, external security enthusiasts, and all the wonderful people that contribute to our open source community. Our collaborative efforts go a long way in creating a safe and responsible environment.

Reporting security issues
If you believe you have discovered a vulnerability in a Rapid7 product or have a security incident to report, please contact security@rapid7.com. If you feel the need, please use our PGP public key - KeyID: 8AD4DB8D - to encrypt your communications with us.

Once we have received a vulnerability report, Rapid7 takes a series of steps to address the issue:

  1. Rapid7 requests the reporter to keep confidential any communication regarding the vulnerability.
  2. Rapid7 investigates and verifies the vulnerability.
  3. Rapid7 addresses the vulnerability and releases an update to patch.
  4. Rapid7 publicly announces the vulnerability in the release notes of the update.
  5. Release notes includes a reference to the person/people who reported the vulnerability, unless the reporter(s) wishes to stay anonymous.

Rapid7 will endeavor to keep the reporter apprised of every step in this process as each step occurs.

Working to mature security practices
When properly notified of legitimate issues, we’ll do our best to acknowledge your emailed report, assign resources to investigate the issue, and fix potential problems as quickly as possible. When we discover vulnerabilities through our own research, we will do our best to coordinate efforts with the vendor's security teams and CERT/CC.

Security Issue found by Rapid7 Research
Once we have found a vulnerability in another vendor’s products, Rapid7 takes a series of steps to address the issue:

  1. Rapid7 will keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
  2. Rapid7 will attempt to contact the appropriate product vendor by email and telephone.
  3. Rapid7 will provide the vulnerability details to the vendor.
  4. Rapid7 will send a notification to CERT/CC 15 days after the first attempt at contacting the vendor.
  5. In keeping with CERT/CC's 45-day disclosure policy, Rapid7 and CERT/CC will prepare and publish an advisory detailing the vulnerability 60 days after initial attempts at disclosure at stage #2, above, excluding weekends, US holidays, or other extenuating circumstances. This advisory will be made available to the general public.

For the latest news, research, and developments from Rapid7 on security, research, and projects visit our community site.