SimpleHelp Vulnerability Disclosure Policy

Version: 1.1

Effective date: 25th May 2026

SimpleHelp Ltd welcomes good-faith reports of suspected security vulnerabilities. Our priority is to protect customers, including customers who operate self-hosted SimpleHelp installations and need time to schedule and apply updates.

Please report suspected vulnerabilities privately to [email protected] or through the security contact published by SimpleHelp Ltd.

Scope

This policy applies to suspected vulnerabilities in SimpleHelp software, SimpleHelp services, and SimpleHelp-managed systems.

Testing must be limited to systems you own or are expressly authorised to test. This policy does not authorise testing of SimpleHelp Ltd systems, another customer's systems, or any third-party systems without express written authority from the relevant system owner.

Researcher and Tester Responsibilities

Researchers and testers must:

  • act lawfully and in good faith;
  • test only systems, accounts, data, and networks they are authorised to test;
  • avoid accessing, modifying, deleting, extracting, retaining, or disclosing customer or third-party data;
  • avoid service disruption, persistence, lateral movement, malware, destructive testing, extortion, and unauthorised privilege escalation beyond what is strictly necessary to validate the issue;
  • report suspected vulnerabilities privately to SimpleHelp Ltd with enough information for us to validate and remediate the issue;
  • keep non-public vulnerability details confidential until disclosure is coordinated with SimpleHelp Ltd; and
  • comply with the SimpleHelp License Terms and Conditions and any other written testing terms agreed with SimpleHelp Ltd.

Coordinated Disclosure

SimpleHelp Ltd will aim to acknowledge reports in a reasonable time, validate and remediate confirmed issues, coordinate advisory wording and credits where appropriate, publish useful customer guidance without unnecessarily enabling exploitation, and provide configuration-specific mitigation guidance directly to affected customers where needed.

Unless SimpleHelp Ltd agrees otherwise in writing, researchers and testers must not publicly disclose exploit-enabling detail relating to a SimpleHelp vulnerability until at least 60 days after SimpleHelp Ltd publicly releases the relevant security update or advisory. SimpleHelp Ltd may request a longer period where reasonably required to protect customers, including where customers operate self-hosted installations, require maintenance windows, or have extended operational update cycles.

The release of a patch, fix, release note, limited advisory, customer notice, support communication, mitigation, or other information by SimpleHelp Ltd does not authorise publication of further exploit-enabling detail unless SimpleHelp Ltd has confirmed this in writing.

Defensive Information

This policy does not prevent publication of non-operational defensive information, such as:

  • CVE identifiers;
  • affected and fixed versions;
  • severity and high-level impact;
  • general update or mitigation guidance;
  • researcher credit; and
  • broad defensive checks that do not materially narrow the route to exploitation.

This policy also does not prevent confidential disclosure to legal advisers, insurers, regulators, law enforcement, national CERT/CSIRT bodies, or other appropriate vulnerability-coordination bodies where such disclosure is lawful, reasonably necessary, and made in a manner that does not publicly enable exploitation.

Exploit-Enabling Detail and Tooling

Exploit-enabling detail means any information, material, code, or tooling that materially assists exploitation of a SimpleHelp vulnerability. This includes, without limitation:

  • proof-of-concept exploits, exploit scripts, payload generators, modules, scanners, templates, automation, or weaponised reproduction material;
  • endpoint paths, request or response examples, token examples, payload examples, authentication-flow detail, implementation detail, handler, class, method, source-location, patch-diff, or root-cause detail that materially narrows exploitation;
  • configuration, feature, subsystem, integration, or deployment-detail narrowing that materially assists exploitation before customers have had a realistic opportunity to update;
  • scanner logic, Nuclei templates, Metasploit modules, or similar reusable testing or exploitation material; and
  • any other public material that enables a reasonably capable attacker to reproduce or accelerate exploitation.

Researchers and testers must not publish, sell, license, distribute, transfer, upload, demonstrate, or otherwise make available exploit-enabling detail or tooling unless SimpleHelp Ltd has given prior written approval.

Good-Faith Reports

SimpleHelp Ltd does not intend to take action against ordinary customers, administrators, auditors, consultants, managed service providers, penetration testers, or researchers who act in good faith, stay within authorised systems, avoid customer and third-party data, report privately, and follow this policy.

SimpleHelp Ltd may refuse, limit, suspend, or revoke authorisation for security testing by any person or organisation that breaches this policy, tests systems without proper authority, mishandles customer or third-party data, distributes exploit tooling, or creates a material security risk to SimpleHelp Ltd, SimpleHelp customers, or third-party systems.

Legal and License Terms

This policy forms part of the SimpleHelp License Terms and Conditions where incorporated by reference. If there is any conflict between this policy and a written agreement signed by SimpleHelp Ltd, the signed written agreement takes precedence.

This policy applies except to the extent prohibited by applicable law. Nothing in this policy is intended to exclude rights that cannot lawfully be excluded, including any non-excludable statutory rights relating to lawful use of computer programs.

A white SimpleHelp logo
© SimpleHelp 2024