PASS Data Community Summit logo

PASS Data Community Summit 2023

Get all the latest announcements direct to your inbox

Product security policy

Redgate's secure development practices

Redgate’s product development teams use agile processes to continually improve our products. We don’t have distinct SDLC phases or gated security reviews, but our working practices let us quickly identify, respond to and fix vulnerabilities.

All Redgate’s product teams receive security training.

Our products are all subject to extensive suites of automated checks, both for product functionality and known vulnerabilities in external dependencies.

Our product teams peer-review any code changes, either via pull requests or pair or mob programming.

From time to time, we engage external security vendors to perform independent security testing of our products.

Reporting a vulnerability in one of Redgate's products or services

If you become aware of a security vulnerability in any of Redgate's products, services or websites, contact security@red-gate.com.

We encourage the responsible disclosure of security issues, and will act quickly on any vulnerabilities reported. We will not take legal action against you if you:

  • Provide us with the information needed to reproduce and validate the vulnerability
  • Avoid violating the privacy of our customers, staff and other users
  • Avoid the destruction of data, or degradation of our services
  • Don’t intentionally modify or access data that is not your own
  • Give us a reasonable time to address the issue before making any information public

How we prioritise fixing vulnerabilities

We use CVSSv3 scores to prioritise vulnerabilities in our products:

  • We aim to fix critical severity issues (CVSS v3 score >= 9) within 4 weeks of being reported
  • We aim to fix high severity issues (CVSS v3 score >= 7) within 8 weeks of being reported
  • We aim to fix medium severity issues (CVSS v3 score >= 4) within 12 weeks of being reported
  • Low severity issues (CVSS v3 score < 4) will be reviewed and prioritised with other product development work.

We will release fixes for security vulnerabilities in the latest versions of our products. We recommend maintaining a current, fully paid up support term for your software to ensure you remain eligible for the latest versions of our products.

Retired products will not receive security fixes.

How we announce vulnerabilities

We will announce critical and high severity vulnerabilities at the same time as publishing a fix or, where applicable, workaround for the affected product.

Where multiple products are affected, we will announce fixes for each product individually.

A list of previously announced security vulnerabilities is available here.