Datto’s Vulnerability Disclosure Program (VDP)

Introduction

Among Datto’s primary commitments to its customers is protecting the confidentiality, integrity, and availability of their data. We value external contributions towards the improvement of our security posture and believe that collaboration with security professionals is imperative in today’s world. As such, we also believe it is our responsibility to facilitate a disclosure program that encourages responsibility, professionalism, and discretion when dealing with sensitive matters.

Expectations

When acting in accordance with this policy, you can expect us to:

  • Work with you to understand and validate your report, including a timely initial response to the submission.
  • Work to remediate validated vulnerabilities in a timely manner.
  • Recognize your contribution to our security posture if you are the first to report a unique and significant vulnerability.

While acting in accordance with this program’s objectives, we expect you to:

  • Operate in good faith, never intentionally viewing, storing, modifying, or destroying data that does not belong to you.
  • Carefully and thoughtfully choose payloads so as to demonstrate issues without negatively impacting Datto’s customers or services.
  • Maintain the confidentiality of all information related to your findings for the period of time as described in the Program Rules (see below).
  • Be able to provide a log of all activity related to your discovery, including your IP address(es) and timestamped requests to aid us in validation and investigation.

Program Rules

As part of your participation in this program, you agree to adhere to all of the following rules:

  • Do not perform denial of service attacks, or any attacks that have a reasonable chance of degrading service or customer experience.
  • Do not intentionally view, store, modify, or destroy data that does not belong to you.
  • Do not use tools which automate exploit payloads (e.g. sqlmap).
  • Use only csirt-notify@datto.com to submit vulnerability information to us. A Datto employee will contact you via an alternate address to which you may continue your communication.
  • Only perform testing on in-scope systems and services (see below).

We understand that the very act of identifying a vulnerability may contradict some of these rules, but we trust and expect that you will operate in good faith and limit these contraventions to the minimum extent necessary.

Please note that participants in this program are required to maintain the confidentiality of all information related to your findings, never disclosing vulnerabilities or privileged information to any entity outside of Datto before receiving our explicit permission. This will provide us the opportunity to remediate the issue(s).

In-scope Systems and Services

Any Datto-owned web service that handles sensitive user data is intended to be in scope. This includes content in the following domains:

  • *.autotask.net
  • *.backupify.com
  • *.centrastage.net
  • *.cloudtrax.com
  • *.datto.com
  • *.dattobackup.com
  • *.gluh.co
  • *.openmesh.com
  • *.soonr.com

Vulnerabilities in Datto-developed mobile apps, as well as our hardware devices also qualify.

Recognition

Datto may offer recognition for vulnerability reports that have a significant business impact on our customers, products, or services. Recognition may include Datto swag, an entry onto a wall of fame, a social media acknowledgement, gifts, or, in an exceptional case, a monetary reward. The eligibility of a vulnerability for recognition is at our discretion and is highly dependent upon the sensitivity of the affected information and severity of the issue.

For example, it is common in the industry for there to be no recognition given if a bug is of little significance to a company’s security posture. To give you an idea of the types of issues which will not qualify for recognition, take a look at Google’s list of non-qualifying findings.

Assuming that the issue in question is determined to be valid and significant, the following rules apply:

  • You must agree and adhere to the Program Rules as stated previously.
  • You must be the first person to report the issue to us. We will review duplicate issues to see if they provide additional information, but otherwise only recognize the first reporter.
  • You must be available to supply additional information as needed by our team to reproduce and triage the issue.
  • Many of our applications share a common platform and may thereby also share vulnerabilities. Please include all occurrences of an issue in one report instead of submitting them as multiple reports. The existence of a vulnerability in multiple applications will be factored into a recognition decision; duplicate reports will be closed without recognition.
  • We provide recognition at the time of fix. We will keep you posted as we work to resolve issues.
  • Active and former Datto employees are not eligible for participation in this program.
  • You must be 18 years or older and possess a PayPal account to be eligible for a monetary reward.

Reporting

If you believe you’ve found a security issue in one of our products or services, please email us at csirt-notify@datto.com and include the following details within your report:

  • A brief description of the issue and all instances or endpoints at which it is located.
  • Screenshots and/or videos demonstrating the issue.
  • Step-by-step instructions on how to reproduce the issue, including any exploit code.
  • Operating system and/or version information, if relevant.

In regards to the above, please note the following:

  • Do not upload screenshots, videos, or exploit code to a publicly accessible server/repository in preparation of your email.
  • Do not zip or archive your files (just attach them directly to the email).

If you feel the need, you may use our PGP public key to encrypt your communications with us.

Thank you for helping us keep Datto and our customer’s data safe.

Legal

Datto reserves the right to modify the terms and conditions of this Program and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our Program terms and eligibility, which are effective upon posting. We reserve the right to cancel this Program at any time.

Safe Harbor

Any activities conducted in a manner consistent with this Program will be considered authorized conduct and we will not initiate legal action against you.