Redgate logo for print use

Product security policy

Redgate's secure development practices

Redgate’s product development teams use agile processes to continually improve our products. We don’t have distinct SDLC phases or gated security reviews, but our working practices let us quickly identify, respond to and fix vulnerabilities.

All Redgate’s product teams receive security training.

Our products are all subject to extensive suites of automated checks, both for product functionality and known vulnerabilities in external dependencies.

Our product teams peer-review any code changes, either via pull requests or pair or mob programming.

From time to time, we engage external security vendors to perform independent security testing of our products.

Reporting a vulnerability in one of Redgate's products or services

If you become aware of a security vulnerability in any of Redgate's products, services or websites, contact

We encourage the responsible disclosure of security issues, and will act quickly on any vulnerabilities reported. We will not take legal action against you if you:

How we prioritise fixing vulnerabilities

We use CVSSv3 scores to prioritise vulnerabilities in our products:

We will release fixes for security vulnerabilities in the latest versions of our products. We recommend maintaining a current, fully paid up support term for your software to ensure you remain eligible for the latest versions of our products.

Retired products will not receive security fixes.

How we announce vulnerabilities

We will announce critical and high severity vulnerabilities at the same time as publishing a fix or, where applicable, workaround for the affected product.

Where multiple products are affected, we will announce fixes for each product individually.

A list of previously announced security vulnerabilities is available here.