ConnectWise: Implement cybersecurity programs and policies to protect your clients.

ConnectWise: Implement cybersecurity programs and policies to protect your clients.

0 have signed. Let’s get to 100!
At 100 signatures, this petition is more likely to be featured in recommendations!
Dick Tracy started this petition to ConnectWise and

ConnectWise, your clients: TSPs, MSPs, MSSPs, IT providers and more are being targeted at an increasing rate by cybercriminals. You have taken steps to force your clients down the right path with ConnectWise SSO and enforcing MFA. However, your clients, despite what they do to prepare, may remain vulnerable. There are vulnerabilities found in all software. Many companies try to get ahead of this by providing bug bounty programs, vulnerability disclosure policies and creating CVEs to keep their clients informed.

Two of your core software products, ConnectWise Automate and ConnectWise Control, have the explicit purpose of being installed as agents on devices to automate maintenance and provide remote support. These products require the highest permissions to function. Central servers that run the software these agents communicate with can have access to tens of thousands of devices. Despite this, the programs and policies that can help keep your clients secure have not been implemented.

I do not need to explain the importance of these programs and policies to you. In the TSP-ISAO (1) announcement the ConnectWise CEO Jason Magee is quoted as saying, “ConnectWise is launching the TSP-ISAO and leading the campaign to get companies collaboratively involved with us because we think it’s of the utmost importance for the entire industry” (2). In the security assessment tool announcement ConnectWise CISO John Ford is quoted as saying, “Now more than ever, it is vital for MSPs to prioritize working with their customers to identify the areas of their business that have security gaps, vulnerabilities or lack of proper security controls. That’s what ConnectWise Identify allows our partners to do.” (3)

It is clear your leaders understand the importance of cybersecurity. This understanding should extend to the core products of ConnectWise. We need collaboration between ConnectWise and researchers so the security of the software we all use is maintained and improved.

I ask that you review each item below and consider taking the steps required to improve.

  1. Provide a vulnerability disclosure policy so researchers know how to approach you and know it is safe to do so. Provide guidelines on responsible disclosure and submitting CVEs. (4)
  2. Put policies in place internally that allow your teams to communicate timely and clearly with the researchers that have submitted information. This is important to allow for responsible disclosure. Researchers need to know that you are working on the problem. I know from experience and from speaking with others that this does not currently happen. Those of us that eventually find a contact we can send information to find our submissions unanswered or repeatedly delayed with simple, vague comments that provide no indication if the issue is going to be resolved at all.
  3. Update your developer documentation to consider the common security issues an integrator might face when building solutions on your platform. Provide the education needed so the solutions built do not compromise your clients.
  4. Start a bug bounty program. The researchers that currently bring you information are often left frustrated due to the lack of programs, policies, and clear communication. The information freely provided to you has value. Recognizing that value will allow more researchers to spend the time helping you find vulnerabilities and closing them so that your clients stay secure. There are organizations that exist to provide this exact program such as HackerOne: https://www.hackerone.com/

1. https://tsp-isao.org/
2. https://www.connectwise.com/Company/Press/Releases/ConnectWise-Announces-Cybersecurity-Focused-Organization
3. https://www.connectwise.com/company/press/releases/connectwise-launches-new-security-assessment-tool
4. https://www.kaseya.com/legal/vulnerability-disclosure-policy/

0 have signed. Let’s get to 100!
At 100 signatures, this petition is more likely to be featured in recommendations!