At SolarWinds, we take our responsibility to protect our customers’ information and the software and services we provide to them very seriously.
We want security researchers to feel comfortable reporting vulnerabilities they have discovered as set out in this policy so that we can remediate them and help us keep our information and the software and services we provide safe.
This policy describes what systems and types of research are covered, rules of engagement, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. We reserve the right to update this policy at any time, so please review the policy periodically.
The main goal of our vulnerability disclosure policy is to help ensure that vulnerabilities are patched or fixed in a timely manner with the ultimate objective of securing our customers’ and users’ information. This policy is intended to give clear guidelines for reporting potentially unknown or harmful security vulnerabilities.
We require you to:
This policy applies to the *.solarwinds.com domain and products available here:
Any product or services not expressly listed above, such as any connected services, are excluded from the scope and are not authorized for testing.
Additionally, vulnerabilities found in our service providers’ systems fall outside of this policy’s scope and should be reported directly to the service provider according to their disclosure policy (if any). If you are not sure whether a system or endpoint is in scope or not, contact us at PSIRT@solarwinds.com before starting your research and let us help you to determine if the activity is in-scope or not.
We simply ask that researchers follow these simple rules of engagement to limit the potential that our company and/or our customers’ data may be put at risk:
If you encounter any of the below while testing within the scope of this policy, we ask that you stop your testing and notify us immediately:
We accept reports of vulnerabilities via email at PSIRT@solarwinds.com. We also support PGP-encrypted email and our public key is available to secure any communication to SolarWinds.
Your reports should include:
We may share your vulnerability reports to external 3rd parties as well as any affected vendors or open source projects.
You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be compliant with this policy and we will work with you to understand and resolve the issue quickly. -Understand that we cannot control third party rights or claims.
SolarWinds is committed to fixing verified and validated vulnerabilities reported to us and disclosing the details of those vulnerabilities in product release notes when updates to our products are made generally available. We know that public disclosure of vulnerabilities can be an essential part of the vulnerability disclosure process and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.
At the same time, we believe that disclosure in absence of a readily available fix tends to increase risk rather than reduce it, and so we ask that you refrain from sharing your report with others while we work on making a fix available to customers. If you believe there are others that should be informed of your report before a fix is available, please let us know so we may consider other arrangements.
We welcome and support co-publication of a coordinated advisory, but you are also welcomed to self-disclose if you prefer. By default, we prefer to disclose everything, but except in circumstances where we may be required by law, we will act in good faith to never publish information about you or our communications with you without your permission. In some cases, we may also have some sensitive information that should be redacted, and so please check with us before self-disclosing.
When sending information on vulnerabilities and/or other sensitive security information to SolarWinds we ask that you encrypt your communications to the security team. We have published a public PGP key that you can use to:
You can obtain a commercial or free trial version of PGP Desktop from PGP Corporation. Additionally, GnuPG is available as freeware.
Security team public keys are uploaded to secure, global PGP directories which publish the latest PSIRT key(s), expiration date(s) and certificate revocation status.
The SolarWinds PSIRT public key is published to these PGP global directories: