M-Files Vulnerability Disclosure Public Policy

As a responsible software vendor, M-Files Corporation takes software vulnerabilities seriously. We are committed to resolve the vulnerabilities to meet the need of our customers. We encourage reporting any vulnerabilities to us by sending the information to [email protected] to ensure all reports are traced and processed according to their priority.

Please send us an email if:

  • You have identified a potential security vulnerability with one of our products;
  • You have identified a potential security vulnerability with one of our services.

The [email protected] address is intended ONLY for the purposes of reporting product or service security vulnerabilities. All other content will be dropped.

For technical and customer support inquiries, please visit our Support Page.

M-Files Corporation attempts to acknowledge receipt to all submitted reports within seven days. We kindly ask to avoid public disclosure while the remediation is being developed.

Receiving security information from M-Files Corporation

Technical security information about our products and services is distributed through several channels.

a) M-Files Corporation distributes information to customers about security vulnerabilities via https://kb.cloudvault.m-files.com. In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability though there can be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.

As each security vulnerability case is different, we can take alternative actions in connection with issuing security notices. M-Files can determine to accelerate or delay the release of a notice or not issue a notice at all. M-Files does not guarantee that security notices will be issued for any or all security issues customers can consider significant or that notices will be issued on any specific timetable.

b) M-Files works with the formal incident response community to distribute information. Company security notices may be distributed by regional CSERT at the same time that they are sent through company information distribution channels.

All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.

Use of the information constitutes acceptance for use in an AS IS condition. There are no express or implied warranties or assurances with regard to this information. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.