Vulnerability Disclosure Policy

Introduction

Protecting the confidentiality, integrity, and availability of customer data is core to our mission of keeping our MSP community safe. At Kaseya, we believe security improvements are valuable during all phases of the software development lifecycle. We value collaboration with the research community and welcome responsible, professional, and discretionary disclosure of vulnerabilities through the Kaseya Vulnerability Disclosure Program (VDP).

What You Can Expect From Kaseya

When acting in accordance with the Kaseya VDP, you can expect us to:

  • Work with you to understand and validate your report.
  • Strive to fully triage reports within 3 business days.
  • Strive to remediate valid findings within 90 days.
  • Recognize your contribution to our security posture if you are the first to report a unique and significant vulnerability through the Kaseya VDP.
  • Indicate the severity* of your findings after initial triage.
  • Provide you with post-triage status updates regarding your report at a frequency commensurate with the severity* of the finding:
    1. Critical: 30 days
    2. High: 30 days
    3. Medium: 90 days
    4. Low: 90 days *Kaseya calculates severity based on CVSS 3.0, business impact and environment

Please note, the expectations listed above may not apply to products and services that Kaseya has acquired within the last six (6) months.

What Kaseya Expects From VDP Participants

While acting in accordance with the Kaseya VDP objectives, we expect you to:

  • Operate in good faith.
  • Notify us as soon as possible once you discover a real or potential security issue.
  • Adhere to the VDP Rules.

VDP Rules

As part of your participation in this program, you agree to adhere to all the following rules:

  • Use only [email protected] to submit reports and exchange communication with us regarding your findings.
  • Provide details of the finding, including information needed to reproduce and validate the vulnerability with a Proof of Concept (POC).
  • Many of our applications share a common platform and may thereby also share vulnerabilities. Be sure to include all occurrences of the same issue in one report instead of submitting them as multiple reports.
  • Do not discuss vulnerabilities outside of the VDP without express consent from Kaseya.
  • Kaseya recognizes the usefulness of tools that aid in automation of security research and does not wish to restrict their use. Should those tools cause availability issues, Kaseya will block them in order to maintain normal operation.
  • Do not perform denial of service attacks, or any attacks that have a reasonable chance of degrading Kaseya’s service or customer experience.
  • Do not intentionally view, store, modify, or destroy data that does not belong to you.
  • Only interact with test accounts that you own or accounts that you have explicit permission from the account holder to use.
  • Adhere to in scope and out of scope systems and services (see below).
  • Not engage in extortion or other harmful behavior.

We understand that in limited instances, the very act of identifying a vulnerability may contradict some of these rules, but we trust and expect that you will operate in good faith and limit these contraventions to the minimum extent necessary. If you have questions, you may contact us at [email protected].

Reporting

If you believe you’ve found a security issue in one of our products or services, please email us at [email protected] and include the following details within your report:

  • A brief description of the issue and all instances or endpoints at which it is located.
  • Attack scenario/exploitability, and the security impact of the bug.
  • Screenshots and/or videos demonstrating the issue.
  • Step-by-step instructions on how to reproduce the issue, including any exploit code.
  • Operating system and/or version information, if relevant.
  • If applicable, a log of all activity related to your discovery, including your IP address(es) and timestamped requests to aid us in validation and investigation.

Disclaimer: Regarding the above, please note the following:

  • Do not upload screenshots, videos, or exploit code to a publicly accessible server/repository in preparation of your email.
  • Do not zip or archive your files (just attach them directly to the email).
  • Low quality reports such as those which only contain automated output will be rejected.

In Scope Systems and Services

Any Kaseya-owned web service that handles sensitive user data is intended to be in scope. This includes:

  • Kaseya-developed mobile apps.
  • Kaseya-branded hardware devices.
  • Kaseya-owned Web domains, such as:
    • *.autotask.net
    • *.backupify.com
    • *.bitdam.com
    • *.centrastage.net
    • *.cloudtrax.com
    • *.dattobackup.com
    • *.gluh.co
    • *.infocyte.com
    • *.openmesh.com
    • *.soonr.com
    • *.kaseya.com
    • *.rapidfiretools.com
    • *.passly.com
    • *.idagent.com
    • *.graphus.ai
    • *.rocketcyber.com
    • *.unigma.com
    • *.unitrends.com
    • *.spanning.com
    • *.itglue.com
    • *.backup.net
    • *.spanningbackup.com
    • *.vorexlogin.com
    • *.kaseyacloud.com
    • *.365command.com
    • *.traverse-monitoring.com
    • *.liveconnect.me
    • *.kaseya.net
    • *.authanvil.com
    • *.scorpionsoft.com
    • *.unitrendsmsp.com
    • *.connectit.com
    • *.trumethods.com

Out of Scope Systems and Services

  • Third-party websites: Domains registered to Kaseya but hosted by a third party.
  • The following Kaseya owned sites are considered out of scope for any reports related to information disclosure resulting from directory listings, version information and similar findings.
    • tools.datto.com
    • cpkg.datto.com
    • mirror.datto.com
    • zfs.datto.com
    • swag.datto.com
    • investors.datto.com

Non-qualifying vulnerabilities

Kaseya welcomes and places high value on reports of vulnerabilities that substantially affect the confidentiality, integrity, and availability of Kaseya Systems and Services. Some reported findings may have little value or no practical significance to our product security posture. Kaseya reserves the right to make this decision, and we will do it in good faith. Findings that would be considered low-value, and therefore would not qualify for a reward include, but are not limited to:

  1. Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  2. Content spoofing and/or text injection issues without showing an attack vector.
  3. Clickjacking on pages with no sensitive actions.
  4. Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  5. Denial of Service (DoS).
  6. Issues that require unlikely user interaction by the victim.
  7. Missing best practices in Content Security Policy.
  8. Missing best practices in SSL/TLS configuration. 9. Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  9. Rate limiting or brute-force issues on non-authentication endpoints.
  10. Software version disclosure / Banner identification issues.
  11. Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.
  12. Previously known vulnerable libraries without a working Proof of Concept.
  13. Vulnerabilities that only affect users of outdated or unpatched browsers.
  14. Attacks requiring MITM or physical access to a user’s device.

Reward

Kaseya may offer monetary recognition for vulnerability reports that have a significant business impact on our customers, products, or services. Rewards for qualifying findings will range from $101, to $10,101 in appreciation of your help protecting business critical ones and zeros.

Eligibility for monetary recognition is determined by calculating the internal severity of a finding against the potential impact to Kaseya and its customers. We reserve the right, in our sole and absolute discretion, to determine vulnerability qualification for a monetary reward.

Assuming that the issue in question is determined to be valid and significant, the following rules apply:

  • You must agree and adhere to the Program Rules as stated previously. · You must report in your individual capacity, and not on behalf of a company or entity.
  • You must be the first person to report the issue to us. We will review duplicate issues to see if they provide additional information, but otherwise typically recognize only the first reporter.
  • You must be available to supply additional information as needed by our team to reproduce and triage the issue.
  • The existence of a vulnerability in multiple applications will be factored into a recognition decision; duplicate reports will be closed without recognition.
  • We provide a reward at the time of fix.
  • Active and former Kaseya employees, their family members and their household members are not eligible for participation in this program.
  • You must be 18 years or older and can receive electronic payments to be eligible for a monetary reward.
  • You are responsible for the payment of taxes applicable to any reward, including withholdings. Kaseya makes no representations regarding the tax consequences of reward payments. At Kaseya’s discretion, reward recipients will be issued tax forms for the value of the reward and may be required to provide information to Kaseya in order to properly report the reward to applicable governments.

Thank you for helping us keep Kaseya and our customer’s data safe.

Legal

Non-Disclosure Agreement: All information relating to vulnerabilities that you become aware of through Kaseya’s VDP is considered confidential. In order to give Kaseya time to remediate a vulnerability, you agree to refrain from disclosing confidential information publicly or to any third party (outside of Kaseya) without prior, written approval from the Information Security team at Kaseya: [email protected]. You agree to honor any request from the Information Security team at Kaseya to promptly return or destroy all copies of confidential information and all notes related to the confidential information.

In honor of our commitment to collaboration and transparency, the Kaseya Information Security team will not withhold approval of disclosure unless Kaseya believes, in good faith, that confidentiality is required to avoid material harm.

You must comply with all applicable laws, rules and regulations (including those local to you) with respect to your activities related to Kaseya’s VDP. Rewards will not be issued to you if you are (a) in an US embargoed country or (b) on a US Government list of sanctioned or restricted individuals or affiliated with any sanctioned or restricted entities.

Kaseya reserves the right to modify the terms and conditions of this VDP and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our VDP terms and eligibility, which are effective upon posting. We reserve the right to cancel this Program at any time.

Safe Harbor

Any activities conducted in a manner consistent with this Program will be considered authorized conduct and we will not initiate legal action against you.

When conducting vulnerability research under this Policy, we consider this research to be:

  • Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this Policy.
  • Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels before going any further.