Not logged in
Log In Register
Forgot Password Resend Validation E-mail

Security Practices Policy

Actipro Software is committed to delivering high-quality, secure, and reliable user interface control libraries for .NET developers. Our products are used in mission-critical applications across many industries, and we take our role in the software supply chain seriously. This page summarizes our secure development practices, our vulnerability reporting process, and the security characteristics of our products in alignment with industry expectations and the EU Cyber Resilience Act (CRA).

Last updated: 2026-02-05

Product Overview and Security Scope

Actipro develops client-side user interface control libraries for .NET application frameworks, including:

These UI control products:

  • Run entirely within the customer's application.
  • Do not process, store, or transmit customer data.
  • Do not perform authentication, networking, encryption, or security-critical operations.
  • Do not operate as standalone web sites or services.

Because of this architecture, application-wide security remains the responsibility of the organizations that build and deploy applications using our controls. Our responsibility is to ensure that our controls are developed securely, do not introduce unnecessary risk, and behave predictably within the host application.

For organizations with strict compliance or code-review requirements, Actipro offers Blueprint source code for all UI control products, enabling independent verification of our implementation and security posture.

Secure Development Practices

Secure Design Principles

Actipro UI control libraries are designed with a strong emphasis on minimizing attack surface and avoiding behaviors that could introduce unintended security risk. Our products follow these principles:

No dynamic code execution or unsafe reflection.
Our controls do not load or execute untrusted code unless explicitly configured to do so.
Safe, predictable API behavior.
Public APIs validate inputs, avoid side effects, and are designed to prevent misuse that could impact application stability.
Intentional extensibility.
Extensibility points are limited, documented, and designed to avoid exposing internal implementation details.
No process access.
Actipro controls do not manage or interact with operating system processes.
No network access.
Our controls do not open network connections or transmit data.
NOTE: License dialogs may offer optional links that open a browser to an Actipro URL using the platform's built-in launcher; no data is transmitted.
No registry access.
Our controls do not read from or write to the Windows registry.
NOTE: The WPF and WinForms licensing system may check for Actipro license keys in the registry if license information is not supplied programmatically.
No file system access unless required and expected for product functionality.
Some controls include optional APIs that interact with files only when explicitly configured or invoked by the developer. Examples include:
  • SyntaxEditor - Optional APIs allow opening and saving documents.
  • SyntaxEditor Premium Add-ons - May write IntelliPrompt cache data to a private folder designated by the developer.
  • WPF Shell Controls - Use Win32 Shell APIs to enumerate and interact with the file system, as this is core to the product.
  • Other controls - May include optional APIs for loading or saving configuration files when explicitly requested by the developer.

Static Analysis and Code Quality

We use multiple layers of automated analysis, including:

  • Roslyn analyzers.
  • XAML analyzers for WPF and Avalonia.
  • CodeQL (where applicable).
  • Internal code review checklists.

These tools help detect insecure patterns, unsafe reflection, unbounded recursion, exception misuse, and other reliability issues.

Dependency and Supply-Chain Security

Actipro avoids the use of third-party dependencies whenever possible. Actions to minimize supply-chain risk and ensure the long-term security of our UI control libraries include:

  • Automated dependency scanning via GitHub Dependabot.
  • NuGet vulnerability scanning.
  • Careful review of any new necessary third-party dependencies.
  • Digitally signed NuGet packages.
  • Deterministic builds for reproducibility.

Build and Release Security

Actipro uses a controlled, secure build and release process to ensure every shipped product is authentic and trustworthy.

  • Protected GitHub repositories with MFA.
  • Controlled CI/CD pipelines.
  • Signed release artifacts.
  • Restricted publishing permissions.
  • Audit trails for all releases.

Annual Security Review

Once per year, Actipro performs an internal review covering:

  • Public API surface.
  • Dependency posture.
  • Secure development practices.
  • Build and release processes.
  • Threat modeling for UI control behavior.

Vulnerability Reporting and Handling

We welcome responsible disclosure of potential security issues.

Reporting a Vulnerability

Each UI control product's open-source GitHub repository hosts a Security Policy document that discusses in detail how to report a vulnerability for both the related closed-source commercial product or the open-source repository itself.

These pages serve as the authoritative source for vulnerability reporting of each product line, and also list any related security advisories.

Our Response Process

When a report is received:

  • We acknowledge receipt promptly.
  • We investigate and validate the issue.
  • We develop and test a fix if required.
  • We release the fix in a timely manner.
  • We document the resolution in release notes or advisories.

We do not publicly disclose vulnerabilities until a fix is available.

Cyber Resilience Act (CRA)

The EU Cyber Resilience Act requires software vendors to provide transparency into secure development practices, vulnerability handling, and product security characteristics. Actipro meets these expectations through:

Public Security Documentation

This Security Practices page provides:

  • A description of our secure development approach.
  • Our vulnerability reporting and remediation process.
  • The intended use and security characteristics of our products.
  • Links to our Security Policy (Security.md) documents.
  • SBOM availability information.

Product Security Characteristics

For CRA compliance, we disclose that:

  • Actipro UI controls are client-side components.
  • They do not process personal data.
  • They do not provide security-critical functions.
  • They rely entirely on the host application's security model.
  • They do not communicate externally or open network connections.

Software Bill of Materials (SBOM)

Actipro generates SBOMs for all commercial UI control products as part of our build process.

  • SBOMs are available upon request.
  • SBOMs are provided in an industry-standard format (CycloneDX).

Vulnerability Management

We maintain a structured vulnerability handling process aligned with CRA expectations, including:

  • A public reporting channel with timely response.
  • Remediation without undue delay.
  • Transparent communication of fixes.
  • Secure update delivery.

Support Period

Actipro provides security updates for the current major version or any active long-term support (LTS) versions of commercial UI control products, with security fixes being applied to the latest released build of that version. Other versions do not receive security updates. Customers must upgrade to a supported version to receive security fixes.

For any open-source assets in a UI control product's open-source GitHub repository (samples, documentation, and utilities), security updates are provided for the latest tagged release.

Vulnerability Notifications

Actipro uses GitHub Security Advisories for coordinated vulnerability disclosure.

In the unlikely event that a vulnerability meets the reporting thresholds defined by the EU Cyber Resilience Act, Actipro will notify the appropriate EU authorities in accordance with CRA requirements.

Customer Responsibility

While Actipro provides secure, high-quality UI components, the overall security of applications built with our controls depends on:

  • Application architecture.
  • Data handling practices.
  • Authentication and authorization design.
  • Deployment environment.
  • Customer-managed dependencies.

Organizations remain responsible for ensuring that their applications meet their own security, compliance, and regulatory requirements.

Blueprint source code is available for organizations that require deeper review or internal certification.

Questions?

Please contact us if you have any questions about our secure development policy, and see our Policy List to view other Actipro policies.