AdvDesk

Security & Responsible Disclosure

Effective date: 30 April 2026 · Last updated: 30 April 2026

We welcome security researchers. AdvDesk handles remote-control sessions and we take that responsibility seriously — finding and fixing vulnerabilities is part of how we keep the service worth trusting.

Introduction

If you've found a security vulnerability in AdvDesk, we'd like to hear about it. This page explains how to report, what's in scope, and the safe-harbor protections we offer for good-faith research.

How to report

Email security@advcode.net. For sensitive reports you can encrypt with our PGP key:

  • PGP key fingerprint: 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 (placeholder — published key will appear here once generated)

Include in your report:

  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce, ideally with a minimal proof-of-concept.
  • The version of AdvDesk affected (client build number, server URL, etc.).
  • Your name or handle, so we can credit you (optional — you can stay anonymous).

Scope

The following are in scope:

  • advdesk.advcode.net — the dashboard and web viewer
  • The AdvDesk Windows client (most recent two minor releases)
  • The AdvDesk relay (any host on *.advcode.net serving the relay protocol)
  • Public APIs under /api/v1/*

Out of scope

  • Third-party services we use (Stripe, Contabo, Google) — please report those to the vendor directly.
  • Social-engineering attacks against AdvDesk staff, customers, or partners.
  • Physical attacks against AdvDesk infrastructure or offices.
  • Denial-of-service attacks. Please don't.
  • Findings from automated scanners without proof of an actual exploitable vulnerability.
  • Reports of "missing" headers (HSTS, CSP, X-Frame-Options, etc.) on pages where the absence has no exploitable impact.
  • Issues that require physical access to a victim's already-unlocked device.

Safe harbor

We will not pursue legal action, civil or criminal, against researchers who:

  • Report vulnerabilities in good faith and follow this policy.
  • Avoid privacy violations, destruction of data, and interruption of service.
  • Use only their own accounts (or accounts where they have explicit written authorization) for testing, and do not attempt to access other users' data beyond what's necessary to demonstrate the issue.
  • Give us reasonable time to fix the issue before public disclosure (we suggest at least 90 days, but we're flexible — talk to us).

Activities that fall outside this safe harbor — for example, exfiltrating large volumes of customer data, demanding payment as a condition of disclosure, or running denial-of-service attacks — are not authorized and we may take legal action.

Our response

  • Acknowledgement within 48 hours of your report.
  • Initial assessment (severity, scope, reproducibility) within 5 business days.
  • Fix timeline depends on severity:
    • Critical (e.g., remote code execution, full account takeover): patched within 7 days.
    • High (e.g., privilege escalation, sensitive data leak): patched within 30 days.
    • Medium (e.g., authenticated XSS, CSRF on non-destructive action): patched within 90 days.
    • Low (informational, hardening): scheduled into the normal release cycle.
  • Coordinated disclosure after the fix ships. We'll credit you in the changelog and hall-of-fame unless you ask us not to.

Hall of fame

Researchers who have responsibly disclosed vulnerabilities will be listed here, with their permission. The list is currently empty — be the first. If you've reported an issue and want to be credited (or want a credit removed), email security@advcode.net.