Security Advisories

Security Advisories Policy

Overview

We are committed to the security of our products and transparent communication with our users. This page serves as the central repository for all security bulletins and public advisories for our .NET components.

Our Disclosure Process

To ensure our users can secure their systems, we assess each for importance and relevance and follow a phased disclosure process for those we assess as significant.

Our primary goal is to ensure our users can secure their systems before vulnerability details become public. To achieve this, we follow a phased disclosure process:

1. Prioritized User Notification

Upon remediating a confirmed vulnerability, we will first notify our active user base through a dedicated security bulletin distributed via our newsletter.
This initial notification will contain the information necessary for users to assess impact and apply patches or mitigations, but as far as is practical, will withhold detailed technical specifics that could aid in developing an exploit.

2. Public Disclosure

After a reasonable embargo period (typically 30-60 days following the availability of the patch, depending on severity), we will publish a full Security Advisory on our public website.
This public advisory will contain complete technical details, including the Common Vulnerabilities and Exposures (CVE) identifier if assigned.

This process balances our duty to protect users with the principles of transparency and contributes to the knowledge of the broader security community.

Security issues we believe to be less relevant or important may be released to via direct public disclosure. Irrelevant or unimportant issues will not be reported.

This policy may be updated periodically. The current version is always available at this location.