To encourage responsible disclosure, we commit that we will not take legal action against you nor ask law enforcement to investigate if we determine that you have complied with the above responsible disclosure guidelines.
We ask that you follow these responsible disclosure guidelines.
Product Vulnerability Reporting
If you believe you have discovered a vulnerability in one of our products, please contact us immediately so that we may resolve the issue as quickly as possible. You may email the details of the vulnerability to email@example.com. Please include the following information:
- Product name and version.
- A description of the vulnerability and why it is exploitable.
- Evidence of a successful exploit and complete steps to reproduce the exploit. Screenshots or video are preferred.
Please include as much information as possible. If we cannot reproduce the exploit with the information provided, we will be unable to proceed further.
We will attempt to respond to all reports within 3 business days however the time to research the issue may be longer. Depending on the outcome, detailed results of the investigation may not be made available until a fix is released.
Responses to Penetration or Vulnerability Testing Reports
If you have received a vulnerability assessment or penetration test report for your installed instance of an Posit product and would like Posit to comment, please please submit a support ticket at https://support.posit.co and include the following information:
- The full detail of each finding, without redaction.
- If submitting the full report, a list of which findings require comment.
- An acknowledgement that you have independently verified each vulnerability requiring comment and determined they are not due to a configuration setting.
Please include as much information as possible. If we cannot reproduce the exploit with the information provided, we will be unable to proceed further. Turnaround time is typically two weeks but may be longer due to volume.
Potential customers: Please work with your sales representative to coordinate completion of the questionnaire. A security non-disclosure agreement may be required.
Existing customers: If your organization requires a product security questionnaire to be completed by Posit, please submit a support ticket at https://support.posit.co and include the following information:
- Contact name and email address
- Which products are to be covered
- A link to or copy of the questionnaire (if the questionnaire requires a login, we will contact the person listed in the ticket to coordinate access)
Please ensure the questionnaire is appropriate for the type of product. For example, a SaaS or cloud-based questionnaire is not applicable to on-premise software. Turnaround time is typically two weeks but may be longer due to volume.
Unfortunately at this time we are unable to complete security questionnaires for open-source products or shinyapps.io.
Bug Bounty Requests
Posit does not offer a Bug Bounty program.
If you would like to encrypt your email to us, our PGP key is available below. If you encrypt your email, please include your PGP public key in your message or else the reply.