Vulnerability Reporting Policy

AvePoint has a standard policy for receiving reports related to potential security vulnerabilities in its products and services, and a standard practice with regards to informing customers of verified vulnerabilities and remediation guidance.

1. When to Contact

Contact the AvePoint Product Security Incident Response Team by sending an email to security@avepoint.com in the following situations:

- You have identified a potential security vulnerability with one of our products.
- You have identified a potential security vulnerability with one of our services.

After your incident report is received, the appropriate personnel will contact you to follow up.

2. AvePoint Product Security Incident Response Process

AvePoint follows a multi-step process when responding to vulnerabilities and notifying our customers.

2.1 Vulnerability Report Received

AvePoint attempts to acknowledge receipt of all submitted reports within seven days. In some instances, acknowledgement of receipt may be delayed due to company or national holidays. In those cases, AvePoint will make every attempt to respond within the seven-day window upon the resumption of normal business activities.

2.2 Verification

Once a finder has initiated contact with AvePoint regarding a potential vulnerability, AvePoint will attempt to verify the existence of the vulnerability using several methods. To aid in the verification of a suspected vulnerability, AvePoint may or may not choose to engage with the disclosing parties. If AvePoint determines that the finder has not provided enough information, AvePoint may contact the finder to request additional details. In all cases, AvePoint attempts to respond to all properly formatted vulnerability reports within seven days of receipt.

Once a finder has initiated contact with AvePoint regarding a potential vulnerability, AvePoint PSIRT engineers will attempt to verify the existence of the vulnerability using several methods. To aid in the verification of a suspected vulnerability, AvePoint may or may not choose to engage with the disclosing parties. In the event that AvePoint determines that the finder has not provided enough information, AvePoint may contact the finder to request additional details. In all cases, AvePoint attempts to respond to all properly formatted vulnerability reports within 7 days of receipt.

2.3 Resolution Development

When determining the best resolution, AvePoint will attempt to balance the need to create a resolution quickly with the testing required to ensure the resolution does not negatively impact affected users due to quality issues. In making this determination, AvePoint will consider factors such as whether a vulnerability poses a high risk of exploitation of affected users, either because it is simple to exploit, or because the issue is already being actively exploited.

A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.

2.4 Notification

Without exception, AvePoint makes every effort to disclose the minimum amount of information required for a customer to assess the impact of a vulnerability in their environment as well as any steps required to mitigate the threat. AvePoint does not intend to provide any details that could enable a malicious actor to develop an exploit. In no case will AvePoint disclose a vulnerability until a patch has been developed or a set of mitigating controls have been verified to significantly reduce the threat.

AvePoint security publications are posted to its support page and sent to the security@avepoint.com.

At its discretion, AvePoint gives credit to external vulnerability discoverer(s) only if:

- They desire to be identified as a discoverer and have provided explicit consent to divulge their identity.
- They gave AvePoint the opportunity to remediate and notify our customer base prior to making the vulnerability public.

Organizations, teams, individuals, or any combination thereof may be identified as discoverers. It is the responsibility of each discoverer to obtain any necessary permission from its employer to be identified by AvePoint.

2.5 Post-Resolution Support

Updates to the vulnerability resolution may be required after AvePoint has released a security publication, associated software patches, or software updates. If an update is required, AvePoint will update security resolutions as appropriate, until further updates are no longer relevant.

A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.

Updates to the vulnerability resolution may be required after AvePoint has released a security publication, associated software patches or software updates. If an update is required, AvePoint will update security resolutions as appropriate, until further updates are no longer relevant.

A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.

3. Scoring, Prioritizing, and Responding.

AvePoint uses the following Common Vulnerability Scoring System (CVSS) guidelines during the evaluation of reported vulnerabilities and when determining how and when vulnerability will be disclosed:

Security Alert – provide information about significant security vulnerabilities that directly affect AvePoint products and require a software upgrade, patch, or other customer action to remediate

Security Notice – document low and medium severity security issues that directly involve AvePoint products but do not warrant the visibility of a AvePoint Security Advisory

Security Response – address issues that require a response to information discussed in a public forum, such as a blog or discussion list; security responses are normally published if a third party makes a public statement about an AvePoint product vulnerability

Release Note Enclosure – provides information about low severity security vulnerabilities

For more information about CVSS, visit the FIRST.org website.

4. Notices and Copyright Information

Notice

The materials contained in this publication are owned or provided by AvePoint, Inc. and are the property of AvePoint or its licensors, and are protected by copyright, trademark and other intellectual property laws. No trademark or copyright notice in this publication may be removed or altered in any way.

Copyright

Copyright ©2023 AvePoint, Inc. All rights reserved. All materials contained in this publication are protected by United States and international copyright laws and no part of this publication may be reproduced, modified, displayed, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written consent of AvePoint, 525 Washington Blvd, Suite 1400, Jersey City, NJ 07310, USA or, in the case of materials in this publication owned by third parties, without such third party’s consent. Notwithstanding the foregoing, to the extent any AvePoint material in this publication is reproduced or modified in any way (including derivative works and transformative works), by you or on your behalf, then such reproduced or modified materials shall be automatically assigned to AvePoint without any further act and you agree on behalf of yourself and your successors, assigns, heirs, beneficiaries, and executors, to promptly do all things and sign all documents to confirm the transfer of such reproduced or modified materials to AvePoint.

Trademarks

AvePoint®, DocAve®, the AvePoint logo, and the AvePoint Pyramid logo are registered trademarks of AvePoint, Inc. with the United States Patent and Trademark Office. These registered trademarks, along with all other trademarks of AvePoint used in this publication are the exclusive property of AvePoint and may not be used without prior written consent.

Microsoft, MS-DOS, Internet Explorer, Office, Office 365, SharePoint, Windows PowerShell, SQL Server, Outlook, Windows Server, Active Directory, and Dynamics CRM 2023 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Adobe Acrobat and Acrobat Reader are trademarks of Adobe Systems, Inc.

All other trademarks contained in this publication are the property of their respective owners and may not be used without such party’s consent.

Changes

The material in this publication is for information purposes only and is subject to change without notice. While reasonable efforts have been made in the preparation of this publication to ensure its accuracy, AvePoint makes no representation or warranty, expressed or implied, as to its completeness, accuracy, or suitability, and assumes no liability resulting from errors or omissions in this publication or from the use of the information contained herein. AvePoint reserves the right to make changes in the Graphical User Interface of the AvePoint software without reservation and without notification to its users.

AvePoint, Inc.
525 Washington Blvd, Suite 1400
Jersey City, NJ 07310

Visit Trust Center for more information