No technology is perfect, and ConnectWise believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us at least 90 days to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Please Be Nice To Us

The following items are considered forbidden:

• Blind or large scans using automated tools are strictly prohibited.
• This includes automated scaping and fuzzing of endpoints (e.g. nuclei, ffuf, dalfox, etc)
• Performing actions that may negatively affect ConnectWise or its customers (e.g. Spam, Brute Force, Denial of Service). If you see that your testing impacts ConnectWise services, please stop and inform us.
• Conducting any kind of physical attack on ConnectWise personnel, property, or data center.
• Social engineering (e.g. phishing, vishing, smishing), any ConnectWise help desk, employee, contractor, or user.
• Exfiltrating Data. Please test only the minimum necessary to validate a vulnerability (we can verify if the vulnerability would enable data exfiltration).

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the issue.

The following are generally considered to be out of scope if they do not directly lead to a demonstrable vulnerability or exploit:

• CSV injection
• Login/logout CSRF
• Session/cookie duration
• Provisioning and/or usability issues.
• Missing cookie flags on non-sensitive cookies
• Presence of autocomplete attribute on web forms
• Open redirects (unless chained for further exploitability)
• Fingerprinting/banner disclosure on common/public services.
• Mail configuration issues including SPF, DKIM, DMARC settings
• Disclosure of known public files or directories, (e.g. robots.txt)
• Rate limiting or brute force issues on non-authentication endpoints.
• "Self" XSS (we require evidence on how the XSS can be used to attack)
• Use of a known-vulnerable library (without evidence of exploitability)
• Vulnerabilities affecting users of unsupported or outdated browsers or platforms
• Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
• Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited.

If you are not sure whether an issue is in scope, we would appreciate it if you file a report anyway, we would be happy to review!

Third Party Issues

ConnectWise uses several third-party services. If they have vulnerabilities, we would like to know, especially if the If the vulnerability might reasonably affect our users

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.