SugarCRM's security policy is to immediately respond to any reports or allegations of security vulnerabilities or incidents by researching, analyzing, announcing and immediately delivering a quality update patch.

All security reports are treated as the highest priority to attain resolution and eliminate any risk that SugarCRM users could potentially experience. If a patch contains security fixes, the security fix information is communicated in the release notes of the patch.

Guidance for SugarCRM administrators:

• Always apply the latest patch of your installed version which will have the latest and cumulative security updates.
• Enable Sugar Updates from within the Admin console of your implementation. You will be automatically updated of any new security patches.
• Read the Sugar Forums for the latest guidance and news on how to protect your implementation.
• Stay informed about security alerts from the technology stack powering your CRM solution. Be aware of the platform vulnerabilities, and be proactive in addressing those potential problems

SugarCRM encourages security researchers, system administrators or developers to report any vulnerability directly to secure@sugarcrm.com.