Skip to main content

Vulnerability Reporting

We welcome security reports from customers, security researchers, and the broader community. If you've found a potential security issue in Ascent, please report it to us privately before disclosing it publicly. Do not file a public issue for a security bug.

How to Report

There are two private reporting channels:

  1. GitHub Private Vulnerability Reporting (preferred) — use Security → Report a vulnerability on the Ascent repository. This keeps the report private and lets us coordinate the fix and disclosure directly in the platform.
  2. Email[email protected] with the subject line prefix [ascent-security-report].

What to Include

To help us triage quickly, please include:

  • Affected component — which part of Ascent (server API, worker, client, portal, a specific integration like Level RMM, the docs site, etc.).
  • Reproduction steps — a clear sequence that reliably reproduces the issue, along with any proof-of-concept code or payloads.
  • Version / commit — the Ascent commit or release you tested against (on-prem), or the approximate date and time the issue was observed (hosted).

It also helps to share your read on the impact (confidentiality, integrity, availability) and how we should reach you for follow-up.

What to Expect

  • Acknowledgement — we will confirm we received your report.
  • Triage — we will confirm whether the issue is reproducible and assign a severity.
  • Coordinated disclosure — we will agree on a disclosure timeline with you before publishing details.

Supported Versions

We support only the latest 0.6.x patch release. Once a newer patch ships, older 0.6.x patches stop receiving fixes, so please confirm an issue against the current release before reporting where possible.

Scope

In scope:

  • The hosted Ascent service at *.goascent.app.
  • The Ascent product code that ships to customers, including on-prem releases.

Out of scope (please do not submit these):

  • Social engineering, phishing, or physical attacks against Ascent staff or customers.
  • Denial-of-service testing against the hosted service.
  • Reports generated purely by automated scanners without a validated exploit.
  • Vulnerabilities in third-party services we integrate with — please report those to the respective vendor.

Responsible Disclosure

We ask that you make a good-faith effort to avoid privacy violations and disruption while researching, and in particular that you:

  • Do not access, modify, or delete data belonging to other customers.
  • Do not exfiltrate data beyond what is strictly necessary to demonstrate the issue.
  • Give us reasonable time to fix the issue before public disclosure.

If you're unsure whether your planned testing falls within this policy, email us first and ask.