moveit-2

Vulnerability Disclosure Policy

Reporting Security Issues to Ipswitch

As a provider of security software, we take security issues seriously and recognize the importance of privacy, security, and community outreach. In addition, Ipswitch utilizes security tools, processes and personnel to maintain a high standard of security.

Ipswitch periodically receives reports of vulnerabilities that have already been fixed in subsequent releases. We therefore strongly recommend that customers remain on actively-supported versions of our products and apply patches without delay. For vulnerabilities reported against older versions that have since been fixed, Ipswitch recommends at least upgrading to the version for which the issue was fixed. For MOVEit Transfer, please see our KB article for Vulnerability Scanner, Penetration Testing, and Hardening FAQ's in order to avoid reporting false-positives.

For customers, or consultants working on behalf of customers, please contact Technical Support directly to report discovered vulnerabilities.

If you are not a customer and believe you have discovered a vulnerability in a Ipswitch product or have a security issue to report, please contact security@ipswitch.com and use our PGP public key for encrypted communication. The email address is continuously monitored and you will receive a response no later than five (5) business days. Once we have received a vulnerability report, Ipswitch takes the following steps to address the issue:

  1. Ipswitch requests the reporter to keep confidential any communication regarding the vulnerability.
  2. Ipswitch investigates and verifies the vulnerability.
  3. Ipswitch addresses the vulnerability and may need to release an update to address the vulnerability.
  4. Ipswitch notifies customers and partners of the vulnerability.
  5. Ipswitch publicly announces the vulnerability in the release notes.
    1. Release notes includes a reference to the person/people who reported the vulnerability, unless the reporter(s) wish to stay anonymous.

     

Vulnerability Report Requirements

  • Explicit information related to the Progress application
    • Product version
    • Host operating system
    • Database type
    • Any other applicable information (ie. Advanced configuration options required to reproduce vulnerability)
  • Detailed instructions on how to reproduce the vulnerability
    • Step-by-step screenshots walking through vulnerability
    • Clear examples of user supplied input if required
    • HTTP requests and responses
  • Risk Assessment
    • CVSS Score
    • Business impact of the vulnerability

 

Our commitment to reporters:

  1. We will acknowledge the receipt of your vulnerability report in a timely manner.
  2. We will notify you when the vulnerability is fixed and allow you the opportunity to confirm it is fixed.
  3. We will publicly thank you for your responsible disclosure and helping us keep our products secure.

Third parties are prohibited from running automated scanners, or attempting penetration tests, against Ipswitch-owned websites. Ipswitch conducts its own testing, or contracts out to specific third parties, for security scanning. If you want to perform security scanning against an Ipswitch product, do so on a copy of the product installed on a server controlled by you. Vulnerabilities found by unauthorized scans of Ipswitch websites will not be rewarded.



-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGBJFIUBCADzrP3WgWbhoiFPdRcxjrMntpov7uWZ1Bs8EeZGj2IjfVfR3Igl
ePlZW4F5/6z2XXMBqDxt5CIsG11fmBiDJWH+ZdK34u+7NiaEhxDZa8of7QNYL5hV
l2/62Jp+eDhGNqrFNNxqDLN4JoM6NyA09wkneLTjtaZqEQagkafEchTm3IOSWciq
DxqnwRft4cP8XwsbwxrtmjOS22XehYVMH7OinMzvFd58Lfr0TdJ2EnT4ZsxNp4ZP
WVBzJhHaX/cqbucEyTeECUubLA1O7odRTbqKuDNixVFpVxyY2/Q6yDz62ygSQLwk
DxTEz2YpckUtnIsPnKL7OjikG8FVQb4eKgapABEBAAG0Lklwc3dpdGNoIFNlY3Vy
aXR5IDIwMjEgPHNlY3VyaXR5QGlwc3dpdGNoLmNvbT6JAVQEEwEIAD4WIQStFEzJ
YtQIkBVt3gxFr87UMMXgCwUCYEkUhQIbAwUJA8JNiwULCQgHAgYVCgkICwIEFgID
AQIeAQIXgAAKCRBFr87UMMXgC0KBCADtWb7KB0jdGIG1+QMgBJrysXin3FkuyG7l
PQ5hyKr0uuEBAhz6poB3mnKYZ/pdoPTzASxG8Z8355Ep91CK/Q2x4Gb+vyxFVkzD
AHfVQQINfc1qPodIvujv5L5p6fcUqkmCYaGyuzSfMCWZn/rNR3E3l2dRSyCcm76b
/uYLSOEkDjesvvpX/zH8UKtAAOq2WAR/y0LokYSiADLmRz6G7SD2BXDqJ0Wp3LN0
zafaYcewgJn8UpBVOPpXxoZpOhHZQl8WoCwQZMLJ7RruBI3zjQf9MXeZ++PepUGz
saefi1e4490x2N2pXmlAZFf7CHeyFb0xgfGH4tBj7XBZGn32DjZ2uQENBGBJFIUB
CADHVPZ+pLk5o4hrA6hNZf8WvCruh82kPC/2GovHRKj3gKJ6YS3lVA23wW5gHdmz
4NoMAyq89LaDeGAMxp2aTGK4pyJ43RbcPFRmjV6P3dqAsWxRxSW3yLoCdE4WZ7lH
lDUPySllpdEZJgH/NKmwpO4y8uCU7pLDCc0/x1uM7CDyP66MjukNPDiKkp59jju9
otSAHZnjUk2LoFl5qJwMOZbWN/W4m/bCcFkyj/qMT9XLwuitZq/yUn88Co5EbiZq
f6H1XI8A+v8Lxlhs5sGsMt2Mv94KaIXCA9rJiCZ/fJFBl9Mf+OpT6yb0UfAh18Sy
o1pirwMOWBSuUHtoHWO7YvjPABEBAAGJATwEGAEIACYWIQStFEzJYtQIkBVt3gxF
r87UMMXgCwUCYEkUhQIbDAUJA8JNiwAKCRBFr87UMMXgC+AZB/4u01LLPXtW7xA0
5jtWYbMXiI4itCZRVh9+oGiCNkCq/c+blySInppt7O42ieoV/5LDBy7uAMLMnNtw
CfPI2g3VrEiwf787eNmbdU/vvvcDTNIZlCfjLWayF2S0h2rFXQJMUfcpxPxIa6+B
S2d32nz+W/ID1aPjAgDRzAlyodl501xWwrUdq66QDcFNeO9/HQX+3v6tYus1Pyns
nFcNRwtt+t/uEQDKApwP78+4zyUHqBLU1XSCgwaeyS9m+je7MKDx1b/Z7HTv2niA
IiTwjsuGFTT6f50jEJzYPWTARbsW3ofzmYihRJdoC3BG1RneJ3uar9I2UfMzg/9D
lGJsGxvU
=be8t
-----END PGP PUBLIC KEY BLOCK-----