As a provider of security software, we take security issues seriously and recognize the importance of privacy, security, and community outreach. In addition, Ipswitch utilizes security tools, processes and personnel to maintain a high standard of security.
Ipswitch periodically receives reports of vulnerabilities that have already been fixed in subsequent releases. We therefore strongly recommend that customers remain on actively-supported versions of our products and apply patches without delay. For vulnerabilities reported against older versions that have since been fixed, Ipswitch recommends at least upgrading to the version for which the issue was fixed. For MOVEit Transfer, please see our KB article for Vulnerability Scanner, Penetration Testing, and Hardening FAQ's in order to avoid reporting false-positives.
For customers, or consultants working on behalf of customers, please contact Technical Support directly to report discovered vulnerabilities.
If you are not a customer and believe you have discovered a vulnerability in a Ipswitch product or have a security issue to report, please contact firstname.lastname@example.org and use our PGP public key for encrypted communication. The email address is continuously monitored and you will receive a response no later than five (5) business days. Alternatively, if you wish to use an encrypted channel, please use our MOVEit system and enter “security” in the “Recipient Email(s)” location. Once we have received a vulnerability report, Ipswitch takes the following steps to address the issue:
- Ipswitch requests the reporter to keep confidential any communication regarding the vulnerability.
- Ipswitch investigates and verifies the vulnerability.
- Ipswitch addresses the vulnerability and may need to release an update to address the vulnerability.
- Ipswitch notifies customers and partners of the vulnerability.
- Ipswitch publicly announces the vulnerability in the release notes.
- Release notes includes a reference to the person/people who reported the vulnerability, unless the reporter(s) wish to stay anonymous.
Our commitment to reporters:
- We will acknowledge the receipt of your vulnerability report in a timely manner.
- We will notify you when the vulnerability is fixed and allow you the opportunity to confirm it is fixed.
- We will publicly thank you for your responsible disclosure and helping us keep our products secure.
Third parties are prohibited from running automated scanners, or attempting penetration tests, against Ipswitch-owned websites. Ipswitch conducts its own testing, or contracts out to specific third parties, for security scanning. If you want to perform security scanning against an Ipswitch product, do so on a copy of the product installed on a server controlled by you. Vulnerabilities found by unauthorized scans of Ipswitch websites will not be rewarded.
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----