We at Kaseya take the security of our products very seriously and we would like to provide some additional detail about the product vulnerabilities that we recently disclosed:
- Security awareness is built into Kaseya’s R&D processes and as the leader in the RMM market, we hold ourselves to the same high standards regarding responsible security disclosures as other market leaders such as Oracle, Microsoft, and Cisco — and, regrettably, vulnerabilities are found in all of software products.
- Our security incident response process worked — we were contacted by the security researcher who discovered the vulnerability and we commenced analysis with him and what would be required to fix it. The researcher followed the industry practice of not disclosing the vulnerability for a fixed period of time to allow us time to mitigate it.
- We then developed a patch for this complex issue for all affected version, so that our customers would not be forced to do an emergency upgrade to mitigate this vulnerability.
- We then notified our users of the vulnerability and the upcoming availability of a patch and advised them to schedule the update before the vulnerability was disclosed on September 11th. This gave them time to deploy the patch during one of their normal maintenance windows so that customer-facing operations were not affected.
- The responsible party then disclosed the vulnerability after our customers had ample opportunity to apply the patch.
For an in depth discussion on how seriously we take security in our R&D processes at Kaseya, please read the following blog post by our CTO, Dana Epp, who is a well-known industry expert in security.