Responsible Disclosure Policy

Improsec’s goal is to help improve security in widely used IT systems, including hard- and software products, operating systems, (web) applications, firmware, APIs etc. The work is carried out to the extent that it will not compromise trust nor confidentiality between Improsec and our customers. When we identify security issues or vulnerabilities in IT systems, security researchers at Improsec follow the Responsible Disclosure policy below.


In the following document you find our Responsible Disclosure Policy (UK version).


Responsible Disclosure Findings

Multiple vulnerabilities in SonicWall SMA 100

During a customer engagement we identified multiple vulnerabilities in SonicWall’s Mobile Access web interface (SMA) allowing unauthenticated user enumeration and unauthenticated read/delete access to several endpoints of the management API

Privilege escalation vulnerability in NinjaRMM Agent introduced in EXEMSI MSI Wrapper

We found a vulnerability in EXEMSI MSI Wrapper, which affected multiple third-party software vendors. Read more about our finding and the responsible disclosure here:

Privilege escalation in Microsoft Windows 7/8.1/10, Windows Server 2008/2012/2016/2019

We found a vulnerability in Windows 7/8.1/10/Server 2008/2012/2016/2019, which affected a range of different third-party products. Read more about our finding and the responsible disclosure here:

Privilege escalation vulnerability in Lenovo System Update

We found a vulnerability in Lenovo System Update that allows any user to redirect the application flow in unintended ways, which allows low privileged users to access high privileged functions. Read more about our finding and the responsible disclosure here:

Unpatched privilege escalation vulnerability in Intel Driver & Support Assistant

We have found a trivial privilege escalation vulnerability in Intel Driver & Support Assistant. Read more about our finding and the responsible disclosure here:

Local Privilege Escalation in SmartDraw 2020

We have performed an analysis of SmartDraw 2020, and found a local privilege escalation vulnerability using the built-in update functionality of the product as well as the general folder permissions set on the installation path of the product. Read more about our finding and the responsible disclosure thereof here:

Privilege Escalation vulnerability in Splashtop Streamer

We have found bugs in installed software Splashtop Streamer while doing vulnerability research. Read more about our finding here:

Remote Code Execution by reverse engineering an Askey Wifi-Extender

We have performed an analysis of the Askey WiFi-extender in close collaboration with TDC. Read more about our finding here:

Local privilege escalation via Pronestor HealthMonitor

During a Windows security analysis, we found a privilege escalation vulnerability in the Pronestor HealthMonitor service (part of the “Outlook add-in for Pronestor” product). Read more about our finding here:

Multiple vulnerabilities in EasyInstall RMM and deployment software

We have performed an analysis of EasyInstall RMM and deployment software and have found six privilege escalation vulnerabilities:

Local privilege escalation in FastTrack AdminByRequest

We have performed an analysis of the product “AdminByRequest” (version 6.1.0.0) by FastTrack Software and have found two local privilege escalation vulnerabilities, allowing a regular user to become local administrator. The first CVE allows a local user to communicate directly with the underlying service Audckq32.exe by a named pipe to force elevation to admin, and the second CVE allows a user to become local administrator by reversing the proprietary PIN-code algorithm:

Privilege escalation in Lenovo Dynamic Power Reduction Utility

We have performed an analysis of Lenovo Dynamic Power Reduction Utility and have found a privilege escalation vulnerability. Read more about our finding here: 


Privilege escalations in CapMon Access Manager

We have performed an analysis of Access Manager by CapMon, and found interesting security vulnerabilities by means of direct communication with their privilege managing service. Read more about our findings and the responsible disclosures thereof here:

Privilege escalations in Heimdal Security

We have performed an analysis of Heimdal Security and found interesting security vulnerabilities by means of DLL hijacking and executable overwriting. Read more about our findings and the responsible disclosures thereof here:

Client side remote code execution in IBM notes

We have performed an analysis of IBM Notes and found interesting security vulnerabilities by means of DLL hijacking. Read more about our findings and the responsible disclosure thereof here:

Privilege escalation in IBM Notes Diagnostics

We have performed an analysis of IBM Notes Diagnostics and found interesting security vulnerabilities by means of DLL and internal file hijacking. Read more about our findings and the responsible disclosure thereof here:

Privilege escalation in IBM Notes Smart Update Service

We have performed an analysis of IBM Notes Smart Update Service, and found an interesting security vulnerability by means of DLL hijacking. Read more about our finding and the responsible disclosure thereof here:

Local information disclosure vulnerability in IBM Tivoli Storage Manager and IBM Spectrum Protect

We have performed an analysis of IBM Tivoli Storage Manager and have found a local information disclosure vulnerability. Read more about our finding here: