Vulnerability Disclosure Policy

Report a vulnerability

As a provider of security software, services, and research, we take security issues very seriously and recognize the importance of privacy, security, and community outreach. As such, we are committed to addressing and reporting security issues through a coordinated and constructive approach designed to drive the greatest protection for technology users. Whether you’re a user of Rapid7 solutions, a software developer, or simply a security enthusiast, you’re an important part of this process.

Reporting security issues

If you believe you have discovered a vulnerability in a Rapid7 product or have a security concern you would like to report, please fill out this contact form. If you feel the need, please use our PGP public key - KeyID: 959D3EDA - to encrypt your communications with us.

To ensure we have sufficient information to assess the issue, please include as much detail as possible in your report. At a minimum, we ask that you include the following:

  • A description of the issue
  • Steps to reproduce the issue
  • Potential impact of the issue
  • Any relevant supporting information (e.g., screenshots, logs, proof-of-concept code)
  • How you would like to be credited in any relevant advisory. 

Once we have received a vulnerability report, Rapid7 will acknowledge receipt of the report within 3 days and take a series of steps to address the issue:

  • Rapid7 assesses and  verifies the legitimacy of the vulnerability.
  • Rapid7 categorizes the vulnerability’s severity based on potential impact.
  • Rapid7 will develop a remediation plan based on severity and implement a fix. Rapid7 will typically aim to prepare and publish advisories detailing newly discovered vulnerabilities approximately 60 days upon verification of vulnerability.
    • For vulnerabilities deemed a Low Impact, those that are are trivial enough that an exploit would cause safely ignorable consequences to affected production environments, or limited to a single production instance, such as one website not connected to critical infrastructure, or extant in only theoretical or very unlikely configurations of affected systems, are not bound to the 60 day timeline.
  • Rapid7 will communicate the proposed fix with the reporter and provide an opportunity for comment. 
  • Upon confirmation with the reporter, release notes (and blog posts when issued) include a reference to the agreed upon advisory credit, unless the reporter(s) would prefer to stay anonymous.
  • Rapid7 publicly announces the vulnerability in the release notes of the update. Rapid7 may also issue additional public announcements, for example via social media, our blog, and media.

Rapid7 will endeavor to keep the reporter apprised of every step in this process as it occurs. Our commitment to you is to:

  • Maintain open communication and coordination about the progress and status of the disclosure.
  • Respect the confidentiality of the reporter and the information disclosed.
  • Agree upon and honor the public disclosure timeline.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services, and better protect our customers. Thank you for working with us through the above process. Rapid7 does not provide financial compensation for disclosing vulnerabilities nor engage in a bug bounty program.