rConfig Security Policy
View Open Security Issues
Development Practices
At rConfig, we follow stringent development practices to enhance our software's security and reliability. Our developers adhere to specific coding guidelines designed to maintain high standards throughout the software lifecycle.
- Code reviews by senior developers prior to integration into the main codebase.
- Comprehensive testing by our Quality Assurance team to ensure robustness and security.
- Regular internal security audits conducted by the rConfig Security Team.
Internal Audits
Each major release of rConfig undergoes a thorough internal security audit to identify and address potential vulnerabilities, ensuring that our software meets the highest standards of security.
Disclosure and Issue Reporting
We practice responsible disclosure within rConfig. We encourage reporting of any security issues directly to our security team, allowing for remediation before disclosure to the public.
To report a security issue:
- Check that the issue is directly related to rConfig and not due to server configuration or third-party scripts.
- Submit details via our secure issue tracker in our help and support tool in the rConfig portal, accessible only to the rConfig security team.
- Provide as much information as possible, including steps to reproduce the issue, affected version, and type of security concern.
How rConfig Deals with Reported Security Issues
At rConfig, addressing security issues swiftly and effectively is a top priority. Our dedicated Security Team follows a structured protocol to manage and resolve reported security concerns.
- Issue Review: The rConfig Security Team promptly reviews each reported issue, assessing its impact and authenticity. This initial evaluation helps determine the urgency and necessary resources for resolution.
- Impact Analysis: We conduct a thorough analysis to understand the potential impact on our systems and clients. This includes identifying which versions and components are affected.
- Development of Fix: Our developers prioritize the creation of a fix or workaround as swiftly as possible. This phase involves coding, thorough testing, and integration into the affected systems.
- Client Communication: We keep our clients informed throughout the process. Clients with support agreements receive notifications about the vulnerability and guidance on mitigating any potential risks pending the release of a fix.
- Update and Patch Release: Once a fix is ready and verified, we release software updates and patches. Details on how to apply these updates are clearly communicated to ensure easy implementation for all users.
- Public Disclosure: After addressing the issue and updating our clients, we make a public announcement providing details of the issue and the steps we’ve taken to resolve it. This transparency helps to maintain trust and provides learnings that can benefit the wider community.
Disclosure and Communication of Security Issues
rConfig is committed to responsible disclosure and open communication regarding security issues. We believe in fostering a secure environment through transparency with our clients and the broader community.
Our approach to disclosing security issues is designed to provide timely and accurate information while ensuring that vulnerabilities are addressed before they can be exploited.
- Internal Validation: Once a security issue is reported, our team works diligently to validate and reproduce the issue. This step ensures that we fully understand the scope and impact before making any public statements.
- Client Notification: We notify all affected clients through secure channels. This notification includes detailed information about the vulnerability, the potential impacts, and recommended mitigative actions. Clients are given a timeframe to apply patches and updates before a broader disclosure is made.
- Public Announcement: After ensuring that our clients have had sufficient time to secure their installations, we release a public announcement. This includes a summary of the issue, the affected versions, the fixes available, and guidance for users on how to update their systems.
- Collaboration and Feedback: We actively encourage feedback from our users and the security community regarding our handling of security issues. This collaboration helps us improve our security practices and response strategies.