Start a conversation

How does Kayako handle security vulnerabilities?

This article applies to Kayako Classic customers (Fusion, Case, or Engage) who signed up before July 2016. If that's not you, visit the new Kayako user guide.

We follow the standardized Common Vulnerability Scoring System (CVSS). CVSS is the most widely recognised vulnerability scoring framework used by governments and orgnizations worldwide.

Whenever a security vulnerability is discovered in Kayako, we use the CVSS framework to calculate its impact score. We map these to the following severity levels:

CVSS score Severity level Example case
0 - 2.9 Low Very unlikely to cause any significant disruption to a helpdesk.
3 - 5.9 Medium May provide limited access, disruption of service, usually requires elevated privileges of some kind.
6.0 - 7.9 High Risk of data compromise, the exploit is not readily available to attackers and may be difficult to execute.
8.0 - 10.0 Critical Full compromise of servers, infrastructure or data, the exploit is readily available to attackers.

Our fix and patch procedure

Kayako OnDemand customers will be patched and secured against any known vulnerabilities in accordance with their severity level, without any action on their part. For Kayako Download customers who will need to patch their own desk, this document sets out when and what kind of patches and releases will be made available.

Critical vulnerabilities

When a critical vulnerability is verified, we will fix it and release a security advisory. This includes:

  • Release an immediate update which includes the fix
  • Release a patch with the fix for the currently available release
  • Release patches for previous releases

How many previous releases will be patched

We will release patches either back to the previous non-maintenance release, or for all releases within the last 6 months, whichever is sooner. If we can create patches even earlier than this without causing complications, we will do so.

For example, if the current version is Kayako 4.60 and the previous non-maintenance release was 4.50, we will release a new update Kayako 4.60.1 and patches for Kayako 4.53, 4.52, 4.51 and 4.50. If you are using a release older than Kayako 4.50 (for example, 4.42), you would need to perform a full update to Kayako 4.60.1 in order to secure your helpdesk.

Other vulnerabilities

When a high, medium or low vulnerability is verified, we will fix it in the next regularly scheduled release. For example, if the current version is Kayako 4.60, we will include the fix in the next release 4.61.

Responsible disclosure and reporting

Security is one of our highest priorities. We are committed to delivering a secure and reliable helpdesk service to our thousands of customers and their own customers.

We therefore appreciate researchers who disclose vulnerabilities responsibly. A responsible discloser:

  • Does not test security vulnerabilities in a way that will impact our service or compromise our customers' data
  • Does not attempt to access, copy or share any information that does not belong to them
  • If they wish to test, will do so using their own test Kayako installation or account
  • Does not publicly disclose details of the vulnerability until we confirm that you can do so (to allow a reasonable amount of time to pass for our customers to update)

To report a vulnerability to us, submit a support ticket and include details of the vulnerability and a test case.

Our team will drop everything to verify and assess the vulnerability and keep you in the loop.

Hall of Fame

We would like to say a thank you to the following responsible disclosers or those who have otherwise contributed to the security of Kayako:

If you are the first one to report a particular vulnerability, we would like to include you in our hall of fame list below. To be added, provide your name, Twitter handle or website address. If you have discovered a non-trivial vulnerability in a Kayako product (Kayako software, OnDemand infrastructure or my.kayako.com), include your shipping address we'll send some goodies your way too.

Choose files or drag and drop files
  1. Jamie Edwards

  2. Posted
  3. Updated
Was this article helpful?
Yes
No