Security vulnerability response
Learn more about how we rate and resolve security vulnerabilities in our products.
Overview
Strivacity uses the NIST CVSS (Common Vulnerability Scoring System) to rate the vulnerabilities that we find and that are reported to us. CVSS establishes a common vernacular that we can use to discuss security issues internally and externally with our customers and enables us to determine when we’re going to resolve any vulnerabilities.
The table below shows the classification of the severity of the vulnerability relative to its CVSS score.
| Classification | CVSS Score |
|---|---|
| Critical | 9.0 - 10.0 |
| High | 7.0 - 8.9 |
| Medium | 4.0 - 6.9 |
| Low | 3.9 or below |
Resolution timelines
The resolution timelines of a vulnerability depend upon its classification, i.e., the severity of the vulnerability. Strivacity calculates these timeframes and determines the release vehicles from the date that the vulnerability has been confirmed as a true positive by our security team.
| Classification | CVSS Score | Resolution time (up to) | Release vehicle |
|---|---|---|---|
| Critical | 9.0 - 10.0 | 7 days | Hotfix to existing deployments, and an incremental product release for any new deployments/customers. |
| High | 7.0 - 8.9 | 14 days | Hotfix to existing deployments, and an incremental product release for any new deployments/customers. |
| Medium | 4.0 - 6.9 | 30 days | The next future scheduled product release. |
| Low | 3.9 or below | A future scheduled product release determined by Strivacity | A future scheduled product release at Strivacity’s discretion. |
Backporting policy
For any standalone or on-premises components we will backport any hotfixes (for High and Critical classified vulnerabilities) for any currently supported version of the product. The backporting of hotfixes beyond supported product versions is on customer request basis.
Updated 5 months ago