Security Contact
To report a security vulnerability or request security documentation, please contact us via email at our Contact page. We acknowledge security reports within 2 business days.
Reporting a Vulnerability
If you believe you have found a security vulnerability in RPM Remote Print Manager® ("RPM") please contact us via email at our Contact page with a description of the issue, the product version affected, and steps to reproduce if available. If you require confidential handling, say so in your message and we will respond accordingly.
We ask that you allow us 90 days to investigate and remediate before public disclosure. We will keep you informed of our progress and coordinate the disclosure timeline with you.
Questions about CVEs
If you have a question about one or more specific CVEs, please contact us. We have a number of CVE-related responses on file with NIST. We actively monitor our third-party components for published CVEs and assess each for applicability to our products. Where a CVE affects a code path we use, we address it according to our response timelines above.
Response Commitments
| Severity | Criteria | Response Target |
|---|---|---|
| Critical | Remote code execution, unauthenticated data access, service compromise | Hotfix within 7 days; direct customer notification |
| High | Significant exploit potential; meaningful impact to service or data | Fix within 30 days; included in next release |
| Medium | Limited exploit potential or significant preconditions required | Fix within 90 days |
| Low | Minimal practical impact | Reviewed quarterly |
Severity is assessed using the CVSS framework. Where a fix cannot be delivered within the stated timeline, we will communicate the delay and any interim mitigating measures to affected customers.
Documentation Available on Request
The following security documentation is available to customers and qualified vendors upon request. Use our contact page to send us a request.
- Software Bill of Materials (SBOM) — CycloneDX format; covers all third-party components
- VEX (Vulnerability Exploitability eXchange) — disposition of specific CVEs against specific product versions
- SAST Statement — static analysis practices and findings summary
- SDLC Practices Statement — development lifecycle, security practices, and dependency management
- Vulnerability Management Program and Policy — identification, assessment, remediation, and disclosure processes