LabRat accepts coordinated vulnerability reports, provides security fixes without an added security-update fee, maintains release evidence and an SBOM, and uses a five-year minimum planning baseline for distributed products unless a documented shorter expected lifetime lawfully applies.
Scope and secure-by-default maintenance
LabRat monitors product-owned code, dependencies, authentication, tenant boundaries, update paths, and integral remote processing. Supported releases receive proportionate vulnerability triage, remediation, testing, and user guidance. Security fixes are not withheld solely to require purchase of unrelated new features.
Cloud Web and Worker surfaces are continuously updated by the operator. Mobile apps receive signed updates through their distribution channel. Local Runtime and CLI updates are delivered as signed or integrity-verifiable replacement releases through the documented installation channel.
Support period and launch gate
For launch planning, a distributed LabRat product uses a support-period baseline of at least five years from first EU market placement unless its documented expected use is shorter and the applicable Cyber Resilience Act assessment permits a shorter period. A longer expected use requires a longer period. The exact end month and year must be shown clearly at purchase or download.
A security update issued during the support period will remain available for at least ten years after release or for the rest of the support period, whichever is longer, subject to lawful distribution-channel constraints and an equivalent archive or replacement route.
Update delivery and user notice
- Security updates are provided without an additional security-update fee.
- Where technically feasible, a security fix is separable from unrelated feature changes.
- Critical user action, mitigation, or end-of-support information is communicated through the product, public site, release channel, or direct account contact appropriate to the risk.
- Automatic updates are used where appropriate for consumer security, while any available opt-out is explained clearly.
- Release records retain affected versions, severity, tests, artifact identity, deployment or store release, notice, and rollback or mitigation information.
Report a vulnerability
Email the public security contact with the affected surface and version, reproduction steps, impact, and a safe way to contact you. Use a minimal proof and avoid accessing another person’s workspace or retaining unnecessary data. LabRat will acknowledge credible reports, coordinate a reasonable disclosure window, and provide status when feasible.
Supported versions and mitigations
The hosted service supports the currently deployed version. For distributed software, the latest generally available version is the primary supported line; older versions receive a free path to the latest materially modified version when required and technically feasible. A security notice will identify affected and fixed versions and any temporary mitigation.
Unsupported historical software, unofficial builds, modified clients, and third-party operating systems remain outside the product support promise, but a vulnerability that affects a supported LabRat component is still triaged on its facts.
End-of-support notice and records
Before support ends, LabRat will provide clear notice through an available product or account channel and state the end month and year, affected versions, migration or export path, remaining security risk, and available successor. Technical documentation, risk assessments, SBOMs, vulnerability decisions, security updates, and release evidence are retained for the legally required period.