AvePoint has a standard policy for receiving reports related to potential security and privacy vulnerabilities in its products and services, and a standard practice with regards to informing customers of verified vulnerabilities and remediation guidance.
1. When to Contact
Contact the AvePoint Product Security Incident Response Team by sending an email to security@avepoint.com in the following situations:
- You have identified a potential security/privacy vulnerability with one of our products.
- You have identified a potential security/privacy vulnerability with one of our services.
After your incident report is received, the appropriate personnel will contact you to follow up.
2. AvePoint Product Security and Privacy Incident Response Process
AvePoint follows a multi-step process when responding to vulnerabilities and notifying our customers.
2.1 Vulnerability Report Received
AvePoint attempts to acknowledge receipt of all submitted reports within seven (7) days. In some instances, acknowledgement of receipt may be delayed due to company or national holidays. In those cases, AvePoint will make every attempt to respond within the seven (7)-day window upon the resumption of normal business activities.
2.2 Verification
Once a finder has initiated contact with AvePoint regarding a potential vulnerability, AvePoint will attempt to verify the existence of the vulnerability using several methods. To aid in the verification of a suspected vulnerability, AvePoint mayor may not choose to engage with the disclosing parties. If AvePoint determines that the finder has not provided enough information, AvePoint may contact the finder to request additional details. In all cases, AvePoint attempts to respond to all properly formatted vulnerability reports within seven (7) days of notice of such a vulnerability.
2.3 Resolution Development
When determining the best resolution, AvePoint will attempt to balance the need to create a resolution quickly with the testing required to ensure the resolution does not negatively impact affected users due to quality issues. In making this determination, AvePoint will consider factors such as whether a vulnerability poses a high risk of exploitation of affected users, either because it is simple to exploit, or because the issue is already being actively exploited.
A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.
2.4 Notification
For situations that customers are impacted, or action from customers is required, AvePoint makes every effort to disclose the amount of information required for a customer to assess the impact of a vulnerability in their environment as well as any steps required to mitigate the threat. AvePoint does not intend to provide any details that could enable a malicious actor to develop an exploit. In no case will AvePoint disclose a vulnerability until a patch has been developed or a set of mitigating controls have been verified to significantly reduce the threat.
AvePoint may also post notifications to assure customers and investors that certain critical vulnerabilities have been reviewed and determined as not applicable to AvePoint’s infrastructure or products.
At its discretion, AvePoint gives credit to external vulnerability discoverer(s) only if:
- They desire to be identified as a discoverer and have provided explicit consent to divulge their identity.
- They gave AvePoint the opportunity to remediate and notify our customer base prior to making the vulnerability public.
Organizations, teams, individuals, or any combination thereof may be identified as discoverers. It is the responsibility of each discoverer to obtain any necessary permission from its employer to be identified by AvePoint.
2.5 Post-Resolution Support
Updates to the vulnerability resolution may be required after AvePoint has released a security publication, associated software patches, or software updates. If an update is required, AvePoint will update security and privacy resolutions as appropriate, until further updates are no longer relevant.
The most current and effective version of this document is available and maintained on the AvePoint ISMS/PIMS. The Company may revise, rescind or add to any policies, benefits or business practices from time to time in its sole and absolute discretion with or without prior notice. A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.
3. Scoring, Prioritizing, and Responding.
AvePoint uses the following Common Vulnerability Scoring System (CVSS) guidelines during the evaluation of reported vulnerabilities and when determining how and when a vulnerability will be disclosed:
Security/Privacy Alert – provide information about significant security/privacy vulnerabilities that directly affect AvePoint products and require a software upgrade, patch, or other customer action to remediate
Security/Privacy Notice – document medium severity security/privacy issues that directly involve AvePoint products but do not warrant the visibility of an AvePoint Security Advisory
Security/Privacy Response – address issues that require a response to information discussed in a public forum, such as a blog or discussion list; security/privacy responses are normally published if a third party makes a public statement about an AvePoint product vulnerability
Release Note Enclosure – provides information about low severity security vulnerabilities
For more information about CVSS, visit the FIRST.org website.
| Version | Effective Date | Author | Summary of Changes |
|---|---|---|---|
| 1.0 | March 2017 | Security Team | Initial version |
| 2.0 | May 2018 | Security Team | Updated for ISO compliance |
| 2.1 | May 2019 | Security Team | Annual Review |
| 2.1 | May 2020 | Security Team | Annual Review |
| 2.2 | February 2021 | Security Team | Annual Review - Added Authors To Revision History |
| 2.3 | May 2022 | George Wang | Annual Review and Update |
| 2.4 | February 2023 | George Wang | Annual Review and Update |
| 2.5 | October 27, 2023 | Chris Hodum | Updated Notification Details For Vulnerabilities With No Impact To AvePoint. |
| 2.6 | May 2, 2024 | Chris Hodum | Annual Review |
| 2.7 | April 11, 2025 | Chris Hodum | Annual Review |
Validity and Document Management
This document is valid as of April 11, 2025.
The owner of this document is the Security and Privacy Team, who must check and, if necessary, update the document at least once every twelve months.