Vardot takes the security of our products and procedures very seriously. We educate our staff on security best practices and our development process includes quality assurance such as peer review, security reviews, and automated security audits to help ensure our products are high quality and secure. However, like all complex software products it is possible that a security vulnerability may be present in one of our products.
If you discover a security issue in a Vardot product or hosted service, we ask that you report it to us confidentially in order to protect the security of our services.
Vardot's security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately, as well as set a timeline for a new release or patch. We follow responsible disclosure and will credit researchers when a security issue has been identified and mitigated while adhering to the following specifics.
Please provide as many relevant details as you can. In particular:
Vardot relies on open source software such as Drupal, Varnish, memcache, nginx, Apache, MySQL and many others. If you identify a vulnerability in one of our products that is actually in the underlying software then you can report the issue to us but could also report it to the security team for that project. For Drupal see How to report a security issue in Drupal. If you report an issue to Vardot and the problem lies with another product we will also contact and coordinate with their team prior to making any release.
Thanks to Acquia.com for the related responsible security issue reporting procedure, which this procedure is influenced by.