Vulnerability Disclosure Policy

At SolarWinds, we take our responsibility to protect our customers’ information and the software and services we provide to them very seriously.

We want security researchers to feel comfortable reporting vulnerabilities they have discovered as set out in this policy so that we can remediate them and help us keep our information and the software and services we provide safe.

This policy describes what systems and types of research are covered, rules of engagement, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. We reserve the right to update this policy at any time, so please review the policy periodically.

Purpose

The main goal of our vulnerability disclosure policy is to help ensure that vulnerabilities are patched or fixed in a timely manner with the ultimate objective of securing our customers’ and users’ information. This policy is intended to give clear guidelines for reporting potentially unknown or harmful security vulnerabilities.

Guidelines

We require you to:

  1. Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  2. Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems. Once you have established that a vulnerability exists, or encountered any of the sensitive data outlined below, you must stop your test and notify us immediately.
  3. Keep confidential any information about discovered vulnerabilities. For details, please review the coordinated disclosure section.

Scope

This policy applies to the *.solarwinds.com domain and products available here:
https://www.solarwinds.com/downloads 

Any product or services not expressly listed above, such as any connected services, are excluded from the scope and are not authorized for testing.

Additionally, vulnerabilities found in our service providers’ systems fall outside of this policy’s scope and should be reported directly to the service provider according to their disclosure policy (if any). If you are not sure whether a system or endpoint is in scope or not, contact us at PSIRT@solarwinds.com before starting your research and let us help you to determine if the activity is in-scope or not.

Rules of Engagement

We simply ask that researchers follow these simple rules of engagement to limit the potential that our company and/or our customers’ data may be put at risk:

  1. Do not exploit identified vulnerabilities in a manner that risks the confidentiality, integrity, and/or availability of any resources not explicitly owned by you during testing processes.
  2. Do not use your findings to phish, spam, social engineer, or otherwise defraud any customers or SolarWinds employees while testing to gain more access.
  3. Do not try to physically access SolarWinds properties, attempt to social engineer employees, or otherwise try to discover risk beyond digital means against SolarWinds.
  4. Do not perform denial of services (DoS) or distributed denial of service (DDoS) attacks against any SolarWinds resource to prove an impact for a suspected security issue.

If you encounter any of the below while testing within the scope of this policy, we ask that you stop your testing and notify us immediately:

  • Personally identifiable information
  • Financial information (e.g., credit card or bank account numbers)
  • Information that you suspect is, or may reasonably be considered, proprietary or a trade secret of our company or any other party
  • Denial of Service or situations where the site and application are not responding

Reporting a vulnerability

We accept reports of vulnerabilities via email at PSIRT@solarwinds.com. We also support PGP-encrypted email and our public key is available to secure any communication to SolarWinds.

Your reports should include:

  1. Description of the location and potential impact of the vulnerability.
  2. A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
  3. Any technical information and related materials we would need to reproduce the issue.
  4. Please keep your vulnerability reports current by sending us any new information as it becomes available.

We may share your vulnerability reports to external 3rd parties as well as any affected vendors or open source projects.

Authorization

You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be compliant with this policy and we will work with you to understand and resolve the issue quickly. -Understand that we cannot control third party rights or claims.

Coordinated Disclosure

SolarWinds is committed to fixing verified and validated vulnerabilities reported to us and disclosing the details of those vulnerabilities in product release notes when updates to our products are made generally available. We know that public disclosure of vulnerabilities can be an essential part of the vulnerability disclosure process and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.

At the same time, we believe that disclosure in absence of a readily available fix tends to increase risk rather than reduce it, and so we ask that you refrain from sharing your report with others while we work on making a fix available to customers. If you believe there are others that should be informed of your report before a fix is available, please let us know so we may consider other arrangements.

We welcome and support co-publication of a coordinated advisory, but you are also welcomed to self-disclose if you prefer. By default, we prefer to disclose everything, but except in circumstances where we may be required by law, we will act in good faith to never publish information about you or our communications with you without your permission. In some cases, we may also have some sensitive information that should be redacted, and so please check with us before self-disclosing.

What you can expect from us

  1. When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
  2. Within 3 business days, we will acknowledge that your report has been received.
  3. To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  4. We will maintain an open dialogue to discuss issues.

SolarWinds PSIRT PGP Public Key

When sending information on vulnerabilities and/or other sensitive security information to SolarWinds we ask that you encrypt your communications to the security team. We have published a public PGP key that you can use to:

  • Verify the authenticity of security notifications to SolarWinds
  • Encrypt any messages containing sensitive information to SolarWinds via psirt@solarwinds.com.
  • Please do not send personally identifiable information to us.

Obtain a PGP Key

You can obtain a commercial or free trial version of PGP Desktop from PGP Corporation. Additionally, GnuPG is available as freeware.

SolarWinds Security Team PGP Key

Security team public keys are uploaded to secure, global PGP directories which publish the latest PSIRT key(s), expiration date(s) and certificate revocation status.

The SolarWinds PSIRT public key is published to these PGP global directories:

https://pgp.circl.lu/

http://keys.gnupg.net/

Close
{{STATIC CONTENT}}
{{CAPTION_TITLE}}

{{CAPTION_CONTENT}}

{{TITLE}}