Skip to content

Security: DevExpress/Shared

Security Navigation

SECURITY.md

Security

DevExpress is committed to the needs of its developer community and the reliability of its product line, including all source code repositories managed through GitHub. Our security testing protocols include:

  • Internal security testing prior to official release (applies to all UI component and product libraries).
  • Active inspection/review of static security scanner reports.

DevExpress treats all security related matters and possible security vulnerabilities with the highest priority. DevExpress will issue security advisories and release appropriate security patches once a vulnerability has been identified and addressed. Though our primary focus will be to patch production versions of DevExpress products, we will endeavor to patch discontinued versions as circumstances and risks warrant. Whenever possible, we will develop workarounds if an upgrade is not an option for you or your organization.

If you believe you have found a security vulnerability in any DevExpress-owned repository, please report it to us as described below.

Reporting Security Issues

Please do not report security vulnerabilities through public GitHub issues. Instead, submit your report via the DevExpress Support Center (where you can create private support tickets).

If you do not wish to create a DevExpress.com account, simply forward your report via email to securitylab@devexpress.com.

To help us understand the nature and scope of the vulnerability, please include as much information as possible. Answers to the following will help us isolate the issue in the shortest possible timeframe:

  • Type of the issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)

  • Full path of source file(s) related to the issue/vulnerability

  • The location of the affected source code (tag/branch/commit, or direct URL)

  • Any special configuration required to reproduce the issue

  • Step-by-step instructions to reproduce the issue

  • Proof-of-concept or exploit code (if possible)

  • Impact of the issue, including how an attacker might exploit the issue

Once you’ve submitted a report, you will receive a response within one business day (24 hours), excluding weekends and holidays.

Preferred Languages

We prefer all communications to be in English.