🌐Responding to Customers and Prospects' Scanning Results
This page was inspired by GitLab’s https://handbook.gitlab.com/handbook/security/product-security/application-security/responding-customers-scan-review-requests/.
At Rocket.Chat, we scan our own products (as seen in 🌐Code Analysis). Our Security team is responsible for monitoring the vulnerabilities identified in these reports and either addressing them directly or collaborating with our Engineering team to implement fixes.
We occasionally receive reports from customers and prospects about potential vulnerabilities flagged by their own scanning tools. While we appreciate these efforts, we kindly ask that a reasonable initial review be conducted before reaching out to us. This collaborative approach helps us prioritize and address the most critical issues more effectively.
Accepted Scans
We accept vulnerability reports from the following types of security scans:
SAST (Static Application Security Testing)
DAST (Dynamic Application Security Testing)
Dependency Scanning
Container Scanning
Secrets Scanning
To help us evaluate reported vulnerabilities effectively, please include the following for each submission:
Your assessment and analysis of the identified vulnerability.
A step-by-step explanation demonstrating how the vulnerability can be exploited in your specific environment or instance.
Any relevant context, including environment details, specific security concerns, and the potential impact.
Additionally, when submitting scan results, please ensure the full report is attached—avoid sending partial exports such as .csv or .txt files with just a list of findings. Providing complete and detailed information enables us to respond more accurately and efficiently.
Will Rocket.Chat Review All Vulnerabilities?
We are only able to review scanner results for vulnerabilities rated Critical or High severity. Due to limited resources, we’re unable to evaluate findings classified as Medium, Low, or Informational.
SLO
Our goal is to respond to customer and prospect requests within 15 business days.
Where Should I Submit My Scan Results?
You can submit your scan result to security@rocket.chat.