RevoGrid

Appearance

Security Policy

We take the security of RevoGrid Pro seriously. This document outlines how to report vulnerabilities, what is in scope, our disclosure policy, and expected timelines.

Supported Versions

We provide security updates for the latest minor release line of the portal and Pro plugins.

  • Latest stable (current minor): Supported
  • Older minors/majors: Best‑effort only; please upgrade to receive fixes

Security fixes may be delivered as patch releases. If a fix is not feasible, we will provide mitigation guidance when possible.

Reporting a Vulnerability

Please use one of the following private channels:

  1. GitHub Private Vulnerability Reporting (PVR) for this repository, if enabled
  2. Your commercial support channel (as provided with your license)
  3. As a fallback, reach out via our website contact form: Contact us

Provide as much detail as possible:

  • Affected component(s) and version(s)
  • Impact and severity
  • Reproduction steps, proof‑of‑concept, or sample project
  • Environment details (OS, browser/runtime, configuration)
  • Any suggested mitigations

Please do not disclose the issue publicly until we complete remediation.

Disclosure Policy & Timelines

We aim to follow coordinated disclosure practices.

  • Acknowledgement: within 2 business days
  • Triage and initial assessment: within 7 business days
  • Fix or mitigation target: within 30 days for High/Critical, 90 days for Medium/Low

Timelines may vary based on complexity and scope. We will keep you updated on progress and expected release dates.

Scope

In scope:

  • RevoGrid Pro portal and documentation site contained in this repository
  • Pro plugin source code and build artifacts under release/

Out of scope (non‑exhaustive):

  • Third‑party dependencies not maintained by us
  • Social engineering, physical attacks, or issues requiring privileged access
  • Denial of Service without a clear, actionable fix
  • Vulnerabilities that depend on outdated or unsupported browsers/runtimes

Safe Harbor

We will not pursue legal action against researchers who:

  • Make a good‑faith effort to avoid privacy violations and service disruption
  • Do not exfiltrate data beyond what is necessary to demonstrate a vulnerability
  • Provide us a reasonable time to remediate before public disclosure
  • Comply with applicable laws

If you are unsure whether your research is covered, contact us first using the reporting channels above.

Credit

We are happy to credit researchers who responsibly disclose vulnerabilities and wish to be acknowledged. Let us know how you would like to be recognized.