Security Policies
This document outlines the risks associated with using PostSharp or Metalama and describes our policies for addressing security vulnerabilities.
No network access
PostSharp and Metalama are compilers and/or IDE plug-ins that run locally on development workstations or build agents. They do not access the network except for telemetry purposes.
Please refer to our privacy policy for details about telemetry data collection.
Sensitive data
Metalama and PostSharp do not process sensitive data other than source code, which always remains on the developer's workstation or build agent.
We do not collect or process any personally identifiable information (PII) or sensitive data, except during license audits, where your license key and IP address are collected. This data is securely stored in a database and is not shared with third parties. For more details, please refer to our privacy policy.
Risk assessment and mitigation
Since our products do not send or receive critical data over the network, potential vulnerabilities in Metalama, PostSharp, or their dependencies are unlikely to have a significant impact, as they cannot be exploited remotely.
The most critical risk associated with Metalama is a supply chain attack, where malicious code could be injected into our products not to harm our own company, but our customers. Such an attack could target either our organization or one of our dependencies.
To mitigate this risk, we implement the following measures:
Dependency audits: We regularly audit our dependencies using automated tools such as NuGet Package Vulnerability Scanner and GitHub Dependabot to identify known vulnerabilities. Any flagged issues are promptly assessed and addressed if necessary.
Most vulnerabilities in dependencies require network access and the injection of harmful input data to be exploited. Since our product does not process untrusted data (its only input being customer source code), it is immune to most vulnerabilities. Consequently, very few vulnerabilities in dependencies require action on our part.
Binary signing: We sign our binaries using an Authenticode key stored on a secure and isolated device, separate from build agents and development machines. Before signing, we scan the binaries for known malware.
Open source: The product is open source, with some proprietary extensions available as source code to enterprise customers. Customers can audit the source code and build the product using their own infrastructure.
Supported versions
In the event of a reported vulnerability, we will address it in all supported versions. However, fixes will only be applied to supported versions.
Please ensure that you are using a supported version. A list of supported versions is maintained on this page.
Reporting a vulnerability
To report a vulnerability, create an issue in the Metalama repository. Do not include details that could exploit the vulnerability in the issue. Simultaneously, send an email to hello@postsharp.net with full details of the vulnerability.
We aim to acknowledge vulnerability reports within 24 hours and provide a resolution or mitigation plan within three days, depending on the severity of the issue.
If you do not receive a prompt response, please contact us by phone.
Security of customer service
In addition to public information such as the company name and address, we store the following customer data:
- Invoices, orders, and quotes
- Contacts
- Subscriptions and license keys
- Support tickets
- Emails
- License audit data
We do not store payment information.
All data is stored in the cloud using Microsoft Dynamics 365 or Microsoft Azure.
We consider this data to be moderately sensitive.
Some of this information is made available online through our customer portal.
Your license key is used as an authentication mechanism for the customer portal. Please contact us immediately if your license key has been leaked.
Resellers, if they know your license key or make a purchase on your behalf, gain access to a section of the customer portal that exposes the following data:
- Contacts
- Subscriptions
- License keys