Product Information
Security Updates

Nitro PDF Pro for Windows

Release Date: 12/5/2024
    • Last updated: 12/5/2024
      Originally published: 12/5/2023

      Update

      Nitro has released a new version of Nitro PDF Pro, which resolves potential security vulnerabilities.

      Affected Version(s)VulnerabilityCVEStatusSolutionAcknowledgment

      Nitro PDF Pro for Windows 14.32 and earlier

      Local Privilege EscalationN/AResolvedUpgrade to 14.34.1.0N/A
    • Last updated: 09/25/2024
      Originally published: 07/25/2023

      Update

      Nitro has released a new version of Nitro PDF Pro, which resolves potential security vulnerabilities.

      Affected Version(s)VulnerabilityCVEStatusSolutionAcknowledgment

      Nitro PDF Pro for Windows 13.70.7.60 and earlier

      Nitro PDF Pro for Windows 14.18.1.41 and earlier

      A security vulnerability has been identified in the MSI installer, which could allow local privilege escalation.
      CVE-2024-35288Resolved

      Upgrade to version 13.70.8.82+

      Upgrade to version 14.26.0+

      Sandro Einfeldt and Michael Baer, SEC Consult Vulnerability Lab

      Nitro Pro 13.70.7.60 and earlier

      Nitro Pro 14.18.1.41 and earlier

      A Vulnerability in data handling for XFA documents could cause a file to be saved to an arbitrary location on the users filesystem.CVE-2024-44079Resolved

      Upgrade to version 13.70.8.82+

      Upgrade to version 14.27.0+

      Jörn Henkel
    • Last updated: 07/28/2023
      Originally published: 07/25/2023

      Update

      Nitro has released a new version of Nitro PDF Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution

      Nitro Pro 13.70.4.50 and earlier

      Nitro Pro v14.1.2.47 – 14.5.0.11

      A security vulnerability in Artifex Ghostscript

      A security vulnerability has been identified in Artifex Ghostscript, which is used for file rendering and conversion

      CVE-2023-36664Resolved

      Upgrade to v13.70.7.60

      Upgrade to v14.7.1.21 or later

    • Last updated: 03/16/2023
      Originally published: 03/16/2023

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution
      Nitro Pro v 13.70.2 and earlier

      A security vulnerability in Zlib version, a data compression library used by Nitro PDF Pro

      A security vulnerability has been discovered in the Zlib version, which is a data compression library utilized by Nitro PDF Pro.

      CVE-2022-37434ResolvedUpgrade to the latest version of Nitro PDF Pro
      Nitro Pro v 13.70.2 and earlier

      OpenSSL vulnerability - Access of Resource Using Incompatible Type ('Type Confusion')

      OpenSSL vulnerability - Access of Resource Using Incompatible Type ('Type Confusion') This vulnerability has been fixed by upgrading to OpenSSL 1.1.1t.

      CVE-2023-0286ResolvedUpgrade to the latest version of Nitro PDF Pro
    • Last updated: 12/7/2022
      Originally published: 12/7/2022

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution
      Nitro Pro v 13.70.0 and earlier

      Execution of Arbitrary Commands within the Application

      A vulnerability exists where the application allows specially crafted PDF documents to execute arbitrary commands within the application.

      CVE-2022-46406ResolvedUpgrade to the latest version of Nitro PDF Pro
    • Last updated: 10/25/2021
      Originally published: 10/25/2021

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution
      Nitro Pro v 13.49 and earlier

      JavaScript local_file_path Object use-after-free vulnerability

      A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.

      CVE-2021-21796
      ResolvedUpgrade to the latest version of Nitro Pro
      Nitro Pro v 13.49 and earlier

      JavaScript TimeOutObject double free vulnerability

      A specially crafted document can cause a reference to a timeout object to be stored in two different places. When closed, the document will result in the reference being released twice. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.

      CVE-2021-21797
      ResolvedUpgrade to the latest version of Nitro Pro
    • Last updated: 9/10/2021
      Originally published: 9/10/2021

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution
      Nitro Pro v 13.47 and earlier

      Log4net parsing vulnerability
      Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

      Important: To apply this fix, please upgrade to the iManage Desktop application of version 10.5 or newer. In order to avoid documents becoming read-only, please ensure that all documents opened on the same machine are closed and CHECKED IN.

      CVE-2018-1285ResolvedUpgrade to the latest version of Nitro Pro
      Nitro Pro v 13.47 and earlierJavaScript document.flattenPages
      A vulnerability exists when opening a specially-crafted PDF document containing JavaScript which can lead to code execution under the context of the application.
      CVE-2021-21798ResolvedUpgrade to the latest version of Nitro Pro
    • Security Incident Update

      On September 30, 2020, Nitro became aware of an isolated security incident involving limited access to Nitro databases by an unauthorized third party.

      Upon learning about this incident, Nitro took immediate action to ensure the Nitro environment was secure and commenced an investigation with the support of leading cybersecurity and forensic experts. The investigation is now complete, and Nitro can provide further details:

      • The incident involved access to specific Nitro databases, which support certain online services and have been used primarily for the storage of information connected with Nitro’s free online products.
      • Nitro’s free online conversion service does not require users to create a Nitro account or to become a Nitro customer. Users are simply required to provide an email address to which converted files are delivered.
      • There was no impact to Nitro Pro or Nitro Analytics.
      • Exposed user data included user email addresses, full names, highly secure hashed and salted passwords, as well as document metadata in relation to the Nitro online services. A very small portion of the information included company names, titles, and IP addresses.
      • Passwords were not impacted for users who access our cloud services via Single Sign-On (SSO).
      • The investigation further identified limited activity by the unauthorized third party in a legacy cloud services location, impacting less than 0.0073% of stored data in this location. The activity suggests the unauthorized third party was specifically focused on obtaining data related to cryptocurrency.

      Upon learning of this incident, Nitro conducted a forced password reset for all users to further secure customer accounts. In addition to this, general guidance to maintain good cyber hygiene includes:

      • Changing online account passwords regularly, using a separate password for online banking, and using a password manager for remembering multiple passwords.
      • Never emailing passwords for online accounts and confirming if online accounts are secure by visiting https://haveibeenpwned.com/.
      • Enabling multi-factor authentication for online accounts where possible and ensuring up-to-date anti-virus software is installed on any device used to access online accounts.

      Since the incident, the Nitro IT Security Team has been working closely with external cybersecurity experts to bolster the security of all systems, including enhanced logging, detection and alerting services in all regions, as well as increased data monitoring and re-evaluation of all protocols. The IT environment remains secure and Nitro has not seen any malicious activity since the incident.

      Nitro takes the safety and security of our customers’ data seriously, and we are here to support our customers in any way that may be helpful. We encourage anyone with questions to contact incident@gonitro.com.

    • Last updated: 9/17/2020
      Originally published: 9/1/2020

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution
      Nitro Pro v 13.19 and earlierObject stream parsing integer overflow
      A vulnerability exists when opening a specially-crafted PDF document with a cross-reference table which can lead to an out of bounds error causing memory corruption.
      CVE-2020-6113ResolvedUpgrade to the latest version of Nitro Pro
      Nitro Pro v 13.22 and earlierapp.launchURL JavaScript Command Injection
      A vulnerability exists when opening a specially-crafted PDF document containing JavaScript which can lead to command injection.
      CVE-‪2020-25290ResolvedUpgrade to the latest version of Nitro Pro
    • Last updated: 9/1/2020
      Originally published: 9/1/2020

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution
      Nitro Pro v 13.22.0.414 and earlierXRefTable Entry Missing Object – Use After Free
      A vulnerability exists when opening a specially-crafted, malformed PDF document which can lead to a use-after-free condition.
      CVE-2020-6115ResolvedUpgrade to the latest version of Nitro Pro
      Nitro Pro v 13.22.0.414 and earlierIndexed ColorSpace Rendering – Buffer Overflow
      A vulnerability exists when opening a specially-crafted PDF document with an indexed colorspace which can lead to a buffer overflow causing memory corruption.
      CVE-2020-6116ResolvedUpgrade to the latest version of Nitro Pro
      Nitro Pro v 13.22.0.414 and earlierICCBased ColorSpace Rendering – Buffer Overflow
      A vulnerability exists when opening a specially-crafted PDF document with an ICCBased colorspace which can lead to a buffer overflow causing memory corruption.
      CVE-2020-6146ResolvedUpgrade to the latest version of Nitro Pro
      Nitro Pro v 13.22.0.414 and earlierapp.launchURL JavaScript Command Injection
      A vulnerability exists when opening a specially-crafted PDF document containing JavaScript which can lead to command injection
      NoneResolvedUpgrade to the latest version of Nitro Pro
    • Last updated: 8/2/2020
      Originally published: 8/2/2020

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution

      Nitro Pro v 12.16.3.574 and earlier

      Nitro Sign is not affected

      Digital Signature “shadow attacks”
      A vulnerability exists when opening a specially-crafted, digitally signed PDF document that can cause previously hidden text to appear when the document is altered after signing.
      In order to trigger this vulnerability, the target must open a malicious document prepared in advance by a trusted signer.
      NoneResolvedUpgrade to the latest version of Nitro Pro
    • Last updated: 5/8/2020
      Originally published: 5/8/2020

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVEStatusSolution
      13.9.1.155 and earlierJavaScript XML error handling – Access of Uninitialised Pointer
      A vulnerability exists when opening a specially-crafted PDF document that can cause uninitialized memory access resulting in potential information disclosure. In order to trigger this vulnerability, the target must open a malicious file.
      CVE-2020-6093ResolvedUpgrade to the latest version of Nitro Pro
      13.9.1.155 and earlierPDF Nested Pages – Use After Free
      A vulnerability exists when opening a specially-crafted malicious PDF document which can lead to out-of-bounds write access with the potential to corrupt memory. In order to trigger this vulnerability, the target must open a malicious file.
      CVE-2020-6074ResolvedUpgrade to the latest version of Nitro Pro
      13.13.2.242 and earlierPDF Pattern Object – Integer Overflow or Wraparound
      A vulnerability exists when opening a specially-crafted malicious PDF document which can lead to out-of-bounds write access with the potential to corrupt memory. In order to trigger this vulnerability, the target must open a malicious file.
      CVE-2020-6092ResolvedUpgrade to the latest version of Nitro Pro
    • Last updated: 3/9/2020
      Originally published: 3/9/2020

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVE
      13.9 and priorHeap Corruption npdf.dlll
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to a heap corruption
      vulnerability with the potential to expose contents of memory.
      CVE-2020-10222
      13.9 and priorHeap Corruption JBIG2DecodeStream
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to a heap corruption
      vulnerability with the potential to expose contents of memory.
      CVE-2020-10223

      Solution

      Nitro recommends that customers who purchased through the Nitro eCommerce store update their software to the latest version below. Customers on Team plans may contact their Nitro Account Manager for access to updated installers and deployment instructions. Customers on Enterprise plans who have an assigned Customer Success Manager will receive details of updated releases that address the issues.

      Updated VersionAvailability
      13.13.2.242Please update to the latest version of Nitro Pro 13 available here

      For more information, please contact the Nitro Security Team at security@gonitro.com

    • Last updated: 1/9/2020
      Originally published: 10/31/2019

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVE
      13.6 and priorHeap Corruption JPEG2000 ssizDepth
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to heap corruption
      and the application crashing out. Arbitrary remote code
      execution has not been proven but may be possible.
      CVE-2019-5045
      13.6 and priorHeap Corruption JPEG2000 yTsiz
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to heap corruption
      and the application crashing out. Arbitrary remote code
      execution has not been proven but may be possible.
      CVE-2019-5046
      13.6 and priorUse After Free CharProcs
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to use-after-free
      condition and the application crashing out.
      CVE-2019-5047
      13.6 and priorHeap Corruption ICCBased Color Space
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to heap corruption
      and the application crashing out. Arbitrary remote code
      execution has not been proven but may be possible.
      CVE-2019-5048
      13.6 and priorHeap Corruption Page Kids
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to heap corruption
      and the application crashing out. Arbitrary remote code
      execution has not been proven but may be possible.
      CVE-2019-5050
      13.8 and priorUse After Free Stream Length
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to use-after-free
      condition and the application crashing out.
      CVE-2019-5053

      Solution

      Nitro recommends that customers who purchased through the Nitro eCommerce store update their software to the latest version below. Customers on Team plans may contact their Nitro Account Manager for access to updated installers and deployment instructions. Customers on Enterprise plans who have an assigned Customer Success Manager will receive details of updated releases that address the issues.

      Updated VersionAvailability
      13.9.1.155Please update to the latest version of Nitro Pro 13 available here

      For more information, please contact the Nitro Security Team at security@gonitro.com

    • Last updated: 12/20/2019
      Originally published: 12/20/2019

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVE
      12.0.0.112 and priorJBIG2Decode Out-of-Bounds Read Vulnerability
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to an out-of-bounds
      read vulnerability and the application crashing out.
      CVE-2019-19817
      12.0.0.112 and priorJBIG2Decode Out-of-Bounds Read Vulnerability
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to an out-of-bounds
      read vulnerability and the application crashing out.
      CVE-2019-19818
      12.0.0.112 and priorJBIG2Globals Null Pointer Deference Vulnerability
      A vulnerability exists when opening a specially crafted
      malicious PDF document which can lead to a null pointer
      deference vulnerability and the application crashing out.
      CVE-2019-19819
      12.17.0.584 and priorTemporary debug.log file
      In certain conditions (ie, an expired trial), a temporary
      file "debug.log" may be created in the Nitro Pro working
      directory. This debug.log file can be manipulated after
      the application is closed in the normal manner.
      CVE-2019-19858

      Solution

      Nitro recommends that customers who purchased through the Nitro eCommerce store update their software to the latest version below. Customers on Team plans may contact their Nitro Account Manager for access to updated installers and deployment instructions. Customers on Enterprise plans who have an assigned Customer Success Manager will receive details of updated releases that address the issues.

      Updated VersionAvailability
      13.8.2.140Please update to the latest version of Nitro Pro 13 available here

      For more information, please contact the Nitro Security Team at security@gonitro.com

    • Last updated: 10/18/2019
      Originally published: 10/18/2019

      Update

      Nitro are actively working to address several recently published potential vulnerabilities. Upon being made aware of their existence, we evaluated the accuracy of the claims, assessed the severity and likelihood any exploitation, and (based on our existing proactive vulnerability analysis and handling procedures) we then put the vulnerabilities into our remediation queue.

      We are taking these vulnerabilities seriously and will be addressing them in an upcoming update. For additional information, you may contact security@gonitro.com.

    • Last updated: 11/17/2017
      Originally published: 11/17/2017

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVE
      11.0.6 and prior
      10.5.9.14 and prior
      A vulnerability exists in the Doc.SaveAs function which
      could be exploited by a specially crafted PDF file,
      potentially leading to a File Write taking place outside
      of the intended path.
      CVE-2017-7442
      11.0.6 and prior
      10.5.9.14 and prior
      A vulnerability exists in the Doc.SaveAs function which
      could be exploited by a specially crafted PDF file,
      potentially leading to a URL launch taking place in
      conjunction with a Security Alert.
      CVE-2017-7442

      Solution

      Nitro recommends Personal (individual) users update their software to the latest version below. Business customers may contact their Nitro Account Manager for access to any security updates and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

      Updated VersionAvailability
      11.0.8.470Please update to the latest version of Nitro Pro 11 available here
      10Nitro is unable to fix this vulnerability in Nitro Pro 13. Please upgrade to the latest version of Nitro Pro 11 available here

      For more information, please contact the Nitro Security Team at security@gonitro.com

    • Last updated: 9/27/2017
      Originally published: 9/27/2017

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVE
      11.0.5.271 and prior
      10.5.9.14 and prior
      A memory write vulnerability that could potentially be
      exploited when opening a specially crafted PDF file, with
      a specific Count field, leading to memory corruption and
      a crash. 
      CVE Pending
      11.0.5.271 and prior
      10.5.9.14 and prior
      A use-after-free vulnerability exists that could potentially
      be exploited when opening a specially crafted PDF file
      containing a malformed JPEG2000 image, leading to
      memory corruption and a crash.
      CVE Pending

      Solution

      Nitro recommends Personal (individual) users update their software to the latest version below. Business customers may contact their Nitro Account Manager for access to any security updates and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

      Updated VersionAvailability
      11.0.8.470Please update to the latest version of Nitro Pro 11 available here
      10Nitro is unable to fix this vulnerability in Nitro Pro 13. Please upgrade to the latest version of Nitro Pro 11 available here

      For more information, please contact the Nitro Security Team at security@gonitro.com

    • Originally published: 7/21/2017

      Last updated: 8/25/2017

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVE
      11.0.3.173 and prior
      10.5.9.14 and prior
      An out of bound memory write vulnerability that could
      potentially be exploited when opening a specially crafted
      PDF file, leading to memory corruption and a crash.
      CVE-2017-2796
      11.0.3.173 and prior
      10.5.9.14 and prior
      A heap overflow vulnerability that could potentially be
      exploited when opening a specially crafted PCX image
      file, resulting in memory corruption and a crash.
      CVE-2017-7950

      Solution

      Nitro recommends Personal (individual) users update their software to the latest version, which includes fixes for these vulnerabilities. Business customers may contact their Nitro Account Manager for access to the latest version and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

      Updated VersionAvailability
      11.0.8.470Please update to the latest version of Nitro Pro 11 available here
      10Nitro is unable to fix this vulnerability in Nitro Pro 13. Please upgrade to the latest version of Nitro Pro 11 available here

      For more information, please contact the Nitro Security Team at security@gonitro.com

    • Originally published: 2/3/2017

      Last updated: 8/25/2017

      Update

      Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

      Affected VersionsVulnerabilityCVE
      11.0.3.134 and prior
      10.5.9.9 and prior
      A specially crafted PDF file can potentially cause
      memory corruption leading to a crash.
      CVE-2016-8709
      CVE-2016-8713
      11.0.3.134 and prior
      10.5.9.9 and prior
      A potential remote code execution vulnerability in the
      PDF parsing functionality of Nitro Pro.
      CVE-2016-8711

      Solution

      Nitro recommends Personal (individual) users update their software to the latest version, which includes fixes for these vulnerabilities. Business customers may contact their Nitro Account Manager for access to the latest version and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

      Updated VersionAvailability
      11.0.8.470Please update to the latest version of Nitro Pro 11 available here
      10.5.9.14+Please update to the latest version of Nitro Pro 13 available here

      For more information, please contact the Nitro Security Team at security@gonitro.com

    • Nitro Security Vulnerability & Bug Bounty Policy

      Policy

      Nitro is proud to have required few historical Product Updates for security vulnerabilities. Keeping user information safe and secure is a top priority and a core company value for us at Nitro. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Nitro users.

      Rewards

      Nitro provides rewards for accepted vulnerability reports at its discretion. Our minimum reward is a $25 USD Amazon gift card. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report. Keep in mind that this is not a contest or competition. We reserve the right to determine amount or even whether a reward should be granted.

      Applications in Scope

      Nitro Pro, Nitro Sign and Nitro Admin applications are eligible for the bounty program. In addition, any cloud-based partner platform applications are also eligible (eg Nitro File Actions). We may still reward anything with significant impact across our entire security posture, so we encourage you to report such vulnerabilities via this program.

      Security Vulnerability Reporting & Eligibility

      All Nitro security vulnerabilities should be reported via email to the Nitro Security Team at security@gonitro.com. To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

      • Share the security issue with us in detail, including the application name, version/build affected, concise steps to reproduce the vulnerability that are easily understood, information on the actual and potential impact of the vulnerability, and details of how it could be exploited;
      • Include a proof-of-concept file;
      • Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty reward since those are explicitly out of scope;
      • Give us a reasonable time to respond to the issue before making any information about it public;
      • Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
      • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Nitro;
      • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service); and
      • Otherwise comply with all applicable laws.

      We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

      We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

      Security Vulnerability Process:

      (1) Nitro will acknowledge and assess any vulnerability reported according to the instructions above, typically within 7 days.

      (2) When a vulnerability is confirmed, Nitro will conduct risk analysis using the Common Vulnerability Scoring System (CVSS v3) and determine the most appropriate response for Nitro customers.

      • Critical Security Vulnerabilities: Issues within the software that, if not addressed, pose a high risk and probability of unauthorized access, alteration or destruction of information on a user's computer or connected computers. Nitro will resolve critical security vulnerabilities with a Product Update to the Current and Previous Release of Nitro Pro, and all cloud services, according to the Product Updates & Sunset Policy.
      • Non-Critical Security Vulnerabilities: Issues within the software that, if not addressed, pose a low to moderate risk and probability of unauthorized access, alteration or destruction of information on a user's computer or connected computers. Nitro at its discretion, will resolve Non-Critical Security Vulnerabilities with a Product Update to the Current Release of Nitro Pro only, and all cloud services according to the Product Updates & Sunset Policy.

      (3) Nitro will design, implement & test a fix for all Critical Security Vulnerabilities, and provide a Product Update to customers, typically within 90 days.

      (4) Nitro will publicly disclose all Critical Security Vulnerabilities, affected versions, and relevant details of Product Updates that address the issues, on this Nitro Security Updates page. Nitro does not publicly acknowledge individual security researchers for their submissions.

      Out-of-Scope Security Vulnerabilities

      The following issues are outside the scope of this policy & rewards program:

      • Attacks requiring physical access to a user's device.
      • Missing security headers which do not lead directly to a vulnerability.
      • Missing best practices (we require evidence of a security vulnerability).
      • Use of a known-vulnerable library (without evidence of exploitability).
      • Social engineering of Nitro employees or contractors.
      • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
      • Content spoofing and pure text injection vulnerabilities (where you can only inject text or an image into a page). We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty.
      • Nitro services unless you are able to hit private IPs or Nitro servers.

      Consequences of Complying with This Policy

      We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

      If legal action is initiated by a third party against you and you have complied with Nitro’s Security Vulnerability & Bug Bounty Policy, Nitro will take steps to make it known that your actions were conducted in compliance with this policy.

      Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

      The Fine Print

      You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are Ineligible for rewards. Nitro employees and their family members are not eligible for any rewards.

      In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Nitro reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.

      For more information, please contact the Nitro Security Team at security@gonitro.com