Open dating product
Since that date we have had a positive discussion with Continuum’s reporting engineers.Datto and Storage Craft engineers have also been hard at work designing and implementing patches.Once a patch is ready, we incorporate it into our immediate next software release.Software releases are generally available bi-weekly and include feature enhancements, bug fixes, as well as security patches. Devices set to less aggressive update channels by their partners will still receive updates at least once per quarter.The time to create the patch depends on many factors including severity of the threat, prevalence, and the complexity of the required patch.If necessary, we have sufficient engineering resources to work around-the-clock on critical threats.Throughout this letter, I’ll discuss the way we make decisions about security generally and how we reevaluate prior decisions as the threat landscape changes over time.Summary of Reported Vulnerabilities The first vulnerability exploits the agent device pairing mechanism to allow a rogue user on the same local network as an agent, who is using a secondary Datto appliance or impersonating a Datto appliance, to pair with an agent.
We have received no reports of any client device or Datto Cloud backup data being compromised as a result of these vulnerabilities.
However, as mentioned above, for the vast majority of our partners, we expect you’ll find your standard network practices will fully protect you from these vulnerabilities.
For those partners that do have vulnerable client environments, below are some LAN and network best practices we recommend.
In combination, these would mitigate the vulnerabilities and eliminate any theoretical risk during the period between today and when we deploy a patch.
Datto’s Normal Security Vulnerability Evaluation Process When we receive third-party reports of possible product vulnerabilities such as these, we always take those reports seriously and investigate every one.