Vector GFX Customer Trust & Security Policy
Last Updated: February 20, 2026
Overview
At Vector GFX, we understand that our technical illustration software—including canvasxdraw—is a mission-critical tool for your engineering and design workflows. This document outlines our commitment to cyber defense, how we manage vulnerabilities across modern and legacy codebases, and our protocols for responding to security incidents.
Our Cyber Defense Program (CDP) is built on three pillars: Prevention, Detection, and Response. We align our internal practices with the National Institute of Standards and Technology (NIST) Cybersecurity Framework to ensure the integrity and availability of our software.
1. Vulnerability Management
Continuous Scanning: We perform regular Static Analysis (SAST) on our core source code and Dynamic Analysis (DAST) on our distribution environments.
Third-Party Dependencies: We monitor a Software Bill of Materials (SBOM) for all third-party libraries used in canvasxdraw and canvasxgeo.
The N-1 Support Model: Current Version (N): Receives full security maintenance, including patches for Critical, High, and Medium vulnerabilities.
Preceding Version (N-1): Receives maintenance for Critical security vulnerabilities only.
Legacy (EOL): Software older than N-1 is considered End-of-Life. We do not perform security testing or issue patches for EOL versions.
2. Secure Engineering Policies
Security is integrated into our Software Development Lifecycle (SDLC):
Code Signing: All production installers (.exe and .dmg) are digitally signed to ensure authenticity and prevent tampering.
Access Control: Access to our master source code repositories is restricted via Multi-Factor Authentication (MFA) and the Principle of Least Privilege.
Beta Security Integrity: Participants in our Customer-Tested Beta Program operate in a logically isolated environment. Security findings in Beta builds are treated with "Priority-One" triage to ensure fixes are implemented before stable release.
Security Disclosure Program (SDP)
We maintain a "Safe Harbor" for security researchers and customers who discover potential vulnerabilities.
Reporting Channel: Please report all security concerns to support@vectorgfx.net.
SLA for Vulnerability Response:
Triage: We acknowledge critical reports within 24 business hours.
Remediation: Our target for releasing a "Critical" patch is 30 days from verification.
Public Disclosure: We ask that reporters provide us a reasonable time to patch before making any information public.
Incident Response Plan
In the event of a verified security breach or the discovery of a "Zero-Day" exploit affecting our users, Vector GFX follows a formal Incident Response (IR) protocol:
Detection & Analysis: Our IR team verifies the scope of the threat (e.g., a compromised update server or a malicious file-type exploit).
Containment: We take immediate steps to halt the spread, which may include temporarily disabling download links or revoking compromised digital certificates.
Customer Notification: If customer data or system security is at risk, Vector GFX commits to notifying affected customers via our Security Advisory mailing list within 72 hours of incident verification.
Recovery: We provide a "Clean Path" for customers, typically through an out-of-band security update or documented mitigation steps.
Customer Responsibilities
To maintain a secure environment, we recommend that customers:
Stay Current: Upgrade to the latest version (N) to receive the most robust security protections.
Verify Signatures: Always verify that the Vector GFX installer is digitally signed by Vector GFX, Inc. before installation.
Isolate Legacy Systems: If your workflow requires the use of EOL (End-of-Life) software, we recommend running those applications in an air-gapped or restricted network environment.
Proof of Compliance
For organizations requiring technical proof of these programs, Vector GFX provides:
A machine-readable security.txt file at vectorgfx.net/.well-known/security.txt.
A historical Security Advisory Log within our Knowledge Base.
Annual Security Attestation documents (available upon request for Enterprise customers).