Product Security

RStudio values the security of its products and customers; we appreciate contributions from the security community to further enhance the security of our software.

Product Security

RStudio values the security of its products and customers; we appreciate contributions from the security community to further enhance the security of our software.

We ask that you follow these responsible disclosure guidelines:

  • Notify RStudio of the vulnerability and provide us a reasonable amount of time to address it before disclosing the issue publicly.
  • Provide details of the vulnerability including the steps necessary to reproduce and validate.
  • Avoid privacy violations, data loss, or service disruption when performing research.
  • Do not modify or access others’ data.

To encourage responsible disclosure, we commit that we will not take legal action against you nor ask law enforcement to investigate if we determine that you have complied with the above responsible disclosure guidelines.

Product Vulnerability Reporting

If you believe you have discovered a vulnerability in one of our products, please contact us immediately so that we may resolve the issue as quickly as possible. You may email the details of the vulnerability to security@rstudio.com. Please include the following information:

  • Product name and version.
  • A description of the vulnerability and why it is exploitable.
  • Evidence of a successful exploit and complete steps to reproduce the exploit. Screenshots or video are preferred.

Please include as much information as possible. If we cannot reproduce the exploit with the information provided, we will be unable to proceed further.

We will attempt to respond to all reports within 3 business days however the time to research the issue may be longer. Depending on the outcome, detailed results of the investigation may not be made available until a fix is released.

Responses to Penetration or Vulnerability Testing Reports

If you have received a vulnerability assessment or penetration test report for your installed instance of an RStudio product and would like RStudio to comment, please please submit a support ticket at https://support.rstudio.com/ and include the following information:

  • The full detail of each finding, without redaction.
  • If submitting the full report, a list of which findings require comment.
  • An acknowledgement that you have independently verified each vulnerability requiring comment and determined they are not due to a configuration setting.

Please include as much information as possible. If we cannot reproduce the exploit with the information provided, we will be unable to proceed further. Turnaround time is typically two weeks but may be longer due to volume.

Security Questionnaires

Potential customers: Please work with your sales representative to coordinate completion of the questionnaire. A security non-disclosure agreement may be required.

Existing customers: If your organization requires a product security questionnaire to be completed by RStudio, please submit a support ticket at https://support.rstudio.com/ and include the following information:

  • Contact name and email address
  • Which products are to be covered
  • A link to or copy of the questionnaire (if the questionnaire requires a login, we will contact the person listed in the ticket to coordinate access)

Please ensure the questionnaire is appropriate for the type of product. For example, a SaaS or cloud-based questionnaire is not applicable to on-premise software. Turnaround time is typically two weeks but may be longer due to volume.

Unfortunately at this time we are unable to complete security questionnaires for open-source products or shinyapps.io.

Bug Bounty Requests

RStudio does not offer a Bug Bounty program.

PGP Key

If you would like to encrypt your email to us, our PGP key is available below. If you encrypt your email, please include your PGP public key in your message or else the reply.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.5

mQINBFmUu44BEAC54GaTQpKBnJKP1DkWV32HdW3hLaSqNQEfAKuu67CsdWQFUZw28psTcQvP
Ek0Nf8xof/2V49fqQ4RKbJgDkSU3s/vJh/WTfFFubkCVRZGM8KuOrQSuyb5S+wnEYJUZQ2yB
kE+430HjF906lzcBua8/WzUQV5FuTDD5nG2j3ZRX7kjQg8AULIjKdBf7Kh6bQyoHPJFPeQMz
+8/tu8gd0srvuc5hoaxF+nwyb3ObnStF8wBLx4rskSjW5S2wAPEMy64xfk02dxQf66n6JwbY
llWF0yNw5Lv9sJFgHsGCaDLi+38eOaaNrOQ0zDOOsgZAyKwxccl40KWbghzuTNo0e+AzKQVH
GHB0jlUteBl1TM4ZRophWn54/hA567IwUydMZgfRZMJ6/H58k+zYSh+LaIyfQ4HAtptJc3tm
NlE8Pt4skZvYfOvkEv/GMUsUpCVLXPYXbeIOuaGdkSt49U+BZfMR8Id8w0oQrY4wcVH9H4pu
ojVuo9O/91KVVlLlNzYE8RigWT16g4JJ/vDYCafXjDs1zta5XemF8sMfM5nrvqYrOzyPVvYD
XrnvExJPeDSQTblY0dkNPZcG2deypa4isdXC47mKmVof2UQ64GvLDqZ23WPT+BeIZcZ7fpGY
eMPyvRG4czb9fW0Bdj5Ptki8fn6iA5qRAsZAIY4BAMdcCc8M/QARAQABtDFSU3R1ZGlvIFZ1
bG5lcmFiaWxpdHkgPHZ1bG5lcmFiaWxpdHlAcnN0dWRpby5jb20+iQI5BBMBCAAjBQJZlLuO
AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQYerLdNnz7GLgOBAAs6awdkmOSM2/
xV7bIpsliFrZQekFtcT+NPEUKy4vSmdYVqTRvFVTlPrUAha+K3sjDuaV4Zrf7vIfhN+5PNWy
Hguhv7s+jhN5iOIii+3AUvqMY/vLjZyK8Df9N7ZKa3OfMXMqIQYu4oG+ySfcqeYij8ShyqwV
JYB/Qrn2jwlV96BfVfsqvAcnc790KfR3Um7ef03o8HdkY1EWA3XH9uMn9mdB5hZTihLEdM/P
orb6fSKA2+8YUCaNiXPy2m8sg4oEu87vQ1XA7sLz18HsNJMmMLOqtctQAM4evWuoUIwh57lp
NMGPxwdAsBrOHKwJYuI6majs8TZnQ18Q3OdZ6JriwncFs6W87n5cRfKERtja7WFlxouS2dXe
vts+YSrOXB7sD3Qy4UtaK2Va+5VhpOmCPKOOOn59du51AkIYbjG0gvc02RhzYgcy2covweDx
3jkDcP1an2ULydcuX9mOK0INRP2eveCQE4t35Wgc5BgVegLucdcqcbz7kDg6WiR0xvhrbnWf
bXtpkXG5U6xbIuc/TALAT6njtJ/ruRCezh0+jQ00fPwxMqWzuXb3eLqpRij/F0KTg8eHtZ4/
qIj7cAiuucCsmSQ/HbqsBZDgHeK610gbltJy9g5qV4rqIVC02UjHqfpI2E1dJbXcWRXV8WmE
6WSXV3dWE9WJUsdWS3Zk7ZW5Ag0EWZS7jgEQAM72NxacSDshaA9aQ0FgNvqYbWJXJ4CTr4Wr
eKyJmrY/X6J5BwufUEHN3w/tQQtSw36S2sxafGmkE2/asXwvAY4bm8n0HX9zq/szlJnprinb
qFVVatkQjf2iQRdo9tbGdYJpeFm+PTCEUI4/aiapESkT0KlUu8O0kYmbL67caNAe/DyPBBP8
ifPtzwZq5cXLIsyqHgHruh2DYajoBIkO7G/0woEcnytF8KbndT9Zds+0+XXCBZD0vRnOQ61U
Z3GdlD/45hp7GelajiDumv7BQCKy2dAkths5vvw4cricvRHGvp72rAsg2sJuU+CIZi74hhLO
05/5DeN1TzXM6GZI9D5tcr7n+fJGLQZWZg07FRF58jJGrpsSbbxmEi1yBUWpdJvrjw5Bjj3s
ai14Tl51nZgk0vpuBlrg0z55r/Sp/kvQqlAHPazi91rCoRUH32wY9m11rPQPs3o8W/V2ot1D
0ZLsOW1gojSOuG6e6C0PU6WwzaAqtn3LS5xoFWaB9EL+tgoYIiexHTXAv49mgotk+gUv4Gij
mgeEMo1RIkMISvUmbnuTWB2b3MnOP3AkorbYysZ+fuW4UImrCCS9UIOwHr28drP7qQkdjvu3
iWcP1iQPb8JoWAzXOHz1kBe/LwJLmzbABBn5iB8nQrLt+gcJHRpM7IsRAi2smfe6VInGLNL7
ABEBAAGJAh8EGAEIAAkFAlmUu44CGwwACgkQYerLdNnz7GLdqA//XOLv8LBpQTE+iJDudFqZ
65swv5yN0oY4vUcr5ybcdkgsq38jJNP48C98mQnpZcHCN+Wzi+F3/uoSrVKk+14t5FNFkgQI
q+fgrUtTv2fz9sEurj5Zme66/JpIaQZwFsyBSeySv6T306sMJJToe8hl/cDf2P5s8ITAHeNc
8PoPQZ68LZdt2GCJCvYEJLHYlp0KoFN7wqkVlqgyKxKo16NjXNURZGldyqEVOjIbT2eInzSw
AEBbve6OXm06riWTMKjsq6dtRTqqLFuGX9joOmvQNWz9qiHP1+no8i/ztNG2cyJizOrJmB/p
MA6U2/u9rEqDL9qg9k70SXbSRiYu7iU7x/6v6ZSdrDUGbi0N1cOe2oc+By/cgU0rJHKObcaV
eSp08xxRLvFYT0m0OFExE8iIXZYi9pbkuoq9hDV26IyKBQWr+rdKn1Khzi6xT56/wgw4ZO2S
rElL+20WFJamutxdCxZkqPWXnxhDnh6UVN2yDKv4h6N4UJwCJJz43zodrtYgl+7OQF82Pi0D
qzGFBbbKRkP+fZeLwKBf21nBpMdTLbX05NHbE2Paq9g3lg8Rv+alwQj0zAYh9gtssDNFhU2X
/1hBcgxTKDTZ1scLoMqBIANfUkO64lXQBiTxqYTPUBMQ9yv+7tcHx/pMcg12a7XCjAr0mJbZ
mvXw0IFW7IYP+tQ=
=8BUx
-----END PGP PUBLIC KEY BLOCK-----