This serves as a general index of vendors in the MSP space who may or may not have published their Vulnerability Disclosure Program (VDP) and Bug Bounty Programs (BBP) publicly.
Vendors, MSPs or security researchers who wish to have a company included in the list can ping me at [email protected] with the information to be added/updated, or provide a pull request for me to approve.
- Anyone who contacts me with links to a vendor offering products and services to MSPs may be included in the list.
- Every vendor added gets run though an assessment against RFC8615 (see https://securitytxt.org/ for latest draft) and DNS Security TXT (see https://dnssecuritytxt.org/). This populates the corresponding columns.
- All vendors are then automatically checked against webcrawl data for terms including "Vulnerability Disclosure Program", "VDP", "vulnerability", "disclosure", "bug bounty" and "BBP". Any results will be reviewed by a human, and corresponding links added if VDP / BBP data is found.
- Some vendors who I have relationships with may be contacted over LinkedIn or by email.
- Anyone who submits a Git pull request will be manually reviewed for accuracy and then considered for approval. All reasonable requests will be accepted as long as the vendor clearly offers services to MSPs.
| Company | VDP | BBP | Safe Harbor? | security.txt | DNS security TXT |
|---|---|---|---|---|---|
| Acronis | Yes | Yes | Yes | Yes | No |
| Addigy | Yes | No | No | No | No |
| Amazon | Yes | Yes | Yes | Yes | No |
| Amazon AWS | Yes | No | Yes | Yes | No |
| Appgate | No | No | No | No | No |
| Atera | No | No | No | No | No |
| Auvik | Yes | No | Yes | Yes | No |
| Axcient | No | No | No | No | No |
| Barracuda | Yes | Yes | Partial | No | No |
| Bitdefender | Yes | Yes | No | No | No |
| BitTitan | No | No | No | No | No |
| Blumira | No | No | No | Yes | No |
| ConnectWise | Yes | No | Yes | No | No |
| CyberCNS | No | No | No | No | No |
| Datto | Yes | No | Yes | Yes | No |
| Duo | Yes | No | No | Yes | No |
| Egnyte | No | No | No | No | No |
| Fortinet | Yes | No | Yes | Yes | No |
| Yes | Yes | No | Yes | No | |
| Gradient MSP | Yes | No | Yes | Yes | No |
| Huntress | No | No | No | No | No |
| Kaseya | Yes | No | Yes | No | No |
| Liongard | No | No | No | No | No |
| GoTo (formally LogMeIn) | No | No | No | No | No |
| Malwarebytes | Yes | Yes | No | No | No |
| Microsoft | Yes | Yes | Yes | No | No |
| N-Able | No | No | No | No | No |
| Naverisk | No | No | No | No | No |
| NinjaOne | No | Yes | No | Yes | No |
| nerdio | No | No | No | No | No |
| OITVOIP | No | No | No | No | No |
| ServiceNow | Yes | No | No | Yes | No |
| Servosity | No | No | No | No | No |
| SolarWinds | Yes | No | No | Yes | No |
| Sonicwall | Yes | No | Yes | No | No |
| Sophos | Yes | Yes | Yes | No | No |
| Taylor Business Group | No | No | No | No | No |
| ThreatLocker | No | No | No | No | No |
| TrendMicro | Yes | No | No | No | No |
| WebRoot | No | No | No | No | No |
| Watchguard | No | No | No | No | No |
| Xero | Yes | No | No | No | No |
- Any bug bounty programs that are currently private, even if I know of them, will still be marked as "No". Any vendor that wishes to update that to a Yes simply has to provide me with a link to a landing page which offers security researchers a way to apply to the private program.
- Checks against security.txt and DNS Security TXT is done with the python script included in this repo. If a vendor has a non-standard configuration, please contact me with the appropriate URL/DNS record info and it will be updated in the script to validate. (But why aren't you following the standards?)
If you are offering services to other MSPs, and have a web application/portal that you are asking MSPs to log into, then you are responsible for application security (appsec) of that app. That means you are a potential target in the supply chain, and should be thinking about how adversaries may leverage your digital assets to attack MSPs, and ultimately their customers. So where is YOUR VDP? Need help determining if you need one? I can help.
Some MSP or security researcher felt they wanted to know if you have a VDP and asked me to check. It might very well be that your appsec maturity model isn't at the point you are ready for a VDP. If so, you should be honest with your customers about that. Otherwise, if it's very new to you and you need help, contact me.
Could be. I'd be happy to update the index with proper data. Start by reviewing the methodology being used. If you have a proper security.txt and/or DNS Security TXT then I SHOULD be pulling the right data. In any case, send me a pull request, (or an email) and we can get the data updated with the correct information.
Could be several reasons:
- No one has asked to review that company (yet)
- That company may be owned by another entity already in the list (ie: IT Glue/Kaseya, Autotask/Datto, Continuum/ConnectWise etc)
- I couldn't get clarity on their program(s), and I am still waiting to hear back from them.
If you want to see someone on the list, contact me.
If we want to find you, we will. OSINT this day and age is so bloody easy. If you are marketing to MSPs, you're probably already known if a security researcher cares to look.
The real question should be, "why are you scared to work with security researchers"?
Know that a VDP and BBP are NOT the same thing. You aren't forced to host bounty tables and pay us when we find vulnerabilities. It's appreciated, but not required. We don't have to look at your products/services either. Mutually beneficial relationships helps improve security for everyone, and attracts the right people to help you find and fix your vulnerabilities.
Consider this though.... if our intent wasn't good and ethical, do you think by not being on this list that bad actors wouldn't approach you as a target? Do you think security by obscurity is really going to work? No, neither do I.
You do want to make it easier for security researchers to contact and communicate with you if they DO find something. By defining your VDP and making clear of allowed scope, intentions and expectations we all know what to do and how to act.