Skip to main content

Security

Submitted by Dave Brooks on

Security Contact

To report a security vulnerability or request security documentation, please contact us via email at our Contact page. We acknowledge security reports within 2 business days.


Reporting a Vulnerability

If you believe you have found a security vulnerability in RPM Remote Print Manager® ("RPM") please contact us via email at our Contact page with a description of the issue, the product version affected, and steps to reproduce if available. If you require confidential handling, say so in your message and we will respond accordingly.

We ask that you allow us 90 days to investigate and remediate before public disclosure. We will keep you informed of our progress and coordinate the disclosure timeline with you.


Questions about CVEs

If you have a question about one or more specific CVEs, please contact us. We have a number of CVE-related responses on file with NIST.  We actively monitor our third-party components for published CVEs and assess each for applicability to our products. Where a CVE affects a code path we use, we address it according to our response timelines above.


Response Commitments

SeverityCriteriaResponse Target
CriticalRemote code execution, unauthenticated data access, service compromiseHotfix within 7 days; direct customer notification
HighSignificant exploit potential; meaningful impact to service or dataFix within 30 days; included in next release
MediumLimited exploit potential or significant preconditions requiredFix within 90 days
LowMinimal practical impactReviewed quarterly

Severity is assessed using the CVSS framework. Where a fix cannot be delivered within the stated timeline, we will communicate the delay and any interim mitigating measures to affected customers.


Documentation Available on Request

The following security documentation is available to customers and qualified vendors upon request. Use our contact page to send us a request.

  • Software Bill of Materials (SBOM) — CycloneDX format; covers all third-party components
  • VEX (Vulnerability Exploitability eXchange) — disposition of specific CVEs against specific product versions
  • SAST Statement — static analysis practices and findings summary
  • SDLC Practices Statement — development lifecycle, security practices, and dependency management
  • Vulnerability Management Program and Policy — identification, assessment, remediation, and disclosure processes

You may also be interested in:

Securing Firebird 2.5 Against External Access